(a) to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care;

(b) to provide individuals with a right of access to personal health information about themselves, subject to limited and specific exceptions set out in this Act;

(c) to provide individuals with a right to require the correction or amendment of personal health information about themselves, subject to limited and specific exceptions set out in this Act;

(d) to provide for independent review and resolution of complaints with respect to personal health information; and

“agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated; (“mandataire”)

“Assistant Commissioner” means the Assistant Commissioner for Personal Health Information appointed under the Freedom of Information and Protection of Privacy Act; (“commissaire adjoint”)

“attorney for personal care” means an attorney under a power of attorney for personal care made in accordance with the Substitute Decisions Act, 1992; (“procureur au soin de la personne”)

“attorney for property” means an attorney under a continuing power of attorney for property made in accordance with the Substitute Decisions Act, 1992; (“procureur aux biens”)

“collect”, in relation to personal health information, means to gather, acquire, receive or obtain the information by any means from any source, and “collection” has a corresponding meaning; (“recueillir”, “collecte”)

“Commissioner” means the Information and Privacy Commissioner appointed under the Freedom of Information and Protection of Privacy Act; (“commissaire”)

“disclose”, in relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information, and “disclosure” has a corresponding meaning; (“divulguer”, “divulgation”)

“guardian of property” means a guardian of property or a statutory guardian of property under the Substitute Decisions Act, 1992; (“tuteur aux biens”)

“guardian of the person” means a guardian of the person appointed under the Substitute Decisions Act, 1992; (“tuteur à la personne”)

“health care” means any observation, examination, assessment, care, service or procedure that is done for a health‑related purpose and that,

(a) is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition,

(b) is carried out or provided to prevent disease or injury or to promote health, or

(c) is carried out or provided as part of palliative care,

and includes,

(d) the compounding, dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription, and

(e) a community service that is described in subsection 2 (3) of the Home Care and Community Services Act, 1994 and provided by a service provider within the meaning of that Act; (“soins de santé”)

“health care practitioner” means,

(a) a person who is a member within the meaning of the
Regulated Health Professions Act, 1991 and who provides health care,

(b) Repealed: 2007, c. 10, Sched. P, s. 19.

(c) a person who is a member of the Ontario College of Social Workers and Social Service Workers and who provides health care, or

(d) any other person whose primary function is to provide health care for payment; (“praticien de la santé”)

“health information custodian” has the meaning set out in section 3; (“dépositaire de renseignements sur la santé”)

“health number” means the number, the version code or both of them assigned to an insured person within the meaning of the Health Insurance Act by the General Manager within the meaning of that Act; (“numéro de la carte Santé”)

“individual”, in relation to personal health information, means the individual, whether living or deceased, with respect to whom the information was or is being collected or created; (“particulier”)

“information practices”, in relation to a health information custodian, means the policy of the custodian for actions in relation to personal health information, including,

(a) when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information, and

(b) the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information; (“pratiques relatives aux renseignements”)

“local health integration network” means a local health integration network as defined in section 2 of the Local Health System Integration Act, 2006; (“réseau local d’intégration des services de santé”)

“Minister” means the Minister of Health and Long-Term Care; (“ministre”)

“Ministry” means the Ministry of Health and Long-Term Care; (“ministère”)

“partner” means either of two persons who have lived together for at least one year and have a close personal relationship that is of primary importance in both persons’ lives; (“partenaire”)

“person” includes a partnership, association or other entity; (“personne”)

“personal health information” has the meaning set out in section 4; (“renseignements personnels sur la santé”)

“prescribed” means prescribed by the regulations made under this Act; (“prescrit”)

“prescribed organization” means the organization prescribed for the purposes of Part V.1 and, if more than one organization is prescribed, means every applicable prescribed organization; (“organisation prescrite”)

“proceeding” includes a proceeding held in, before or under the rules of a court, a tribunal, a commission, a justice of the peace, a coroner, a committee of a College within the meaning of the Regulated Health Professions Act, 1991, a committee of the Board of Regents continued under the Drugless Practitioners Act, a committee of the Ontario College of Social Workers and Social Service Workers under the Social Work and Social Service Work Act, 1998, an arbitrator or a mediator; (“instance”)

“quality of care information” has the same meaning as in the Quality of Care Information Protection Act, 2004; (“renseignements sur la qualité des soins”)

“record” means a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record; (“dossier”)

“relative” means either of two persons who are related to each other, including through marriage or adoption; (“membre de la famille”)

“research” means a systematic investigation designed to develop or establish principles, facts or generalizable knowledge, or any combination of them, and includes the development, testing and evaluation of research; (“recherche”)

“researcher” means a person who conducts research; (“chercheur”)

“research ethics board” means a board of persons that is established for the purpose of approving research plans under section 44 and that meets the prescribed requirements; (“commission d’éthique de la recherche”)

“spouse” means either of two persons who,

(a) are married to each other, or

(b) live together in a conjugal relationship outside marriage and,

(i) have cohabited for at least one year,

(ii) are together the parents of a child, or

(iii) have together entered into a cohabitation agreement under section 53 of the Family Law Act,

unless they are living separate and apart as a result of a breakdown of their relationship; (“conjoint”)

“substitute decision-maker” has the meaning set out in section 5; (“mandataire spécial”)

“health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:

1. A health care practitioner or a person who operates a group practice of health care practitioners.

2. A service provider within the meaning of the Home Care and Community Services Act, 1994 who provides a community service to which that Act applies.

3. Repealed: 2016, c. 30, s. 43 (1).

4. A person who operates one of the following facilities, programs or services:

i. A hospital within the meaning of the Public Hospitals Act, a private hospital within the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Act
or an independent health facility within the meaning of the Independent Health Facilities Act.

Note: On a day to be named by proclamation of the Lieutenant Governor, subparagraph 4 i of subsection 3 (1) of the Act is amended by striking out “a private hospital within the meaning of the Private Hospitals Act”. (See: 2017, c. 25, Sched. 9, s. 109 (1))

Note: On a day to be named by proclamation of the Lieutenant Governor, subparagraph 4 i of subsection 3 (1) of the Act is amended by striking out “an independent health facility within the meaning of the Independent Health Facilities Act” at the end and substituting “a community health facility within the meaning of the Oversight of Health Facilities and Devices Act, 2017”. (See: 2017, c. 25, Sched. 9, s. 109 (2))

ii. A long-term care home within the meaning of the Long-Term Care Homes Act, 2007, a placement co-ordinator described in subsection 40 (1) of that Act, or a care home within the meaning of the Residential Tenancies Act, 2006.

ii.1 a retirement home within the meaning of the
Retirement Homes Act, 2010.

iii. A pharmacy within the meaning of Part VI of the Drug and Pharmacies Regulation Act.

iv. A laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act.

v. An ambulance service within the meaning of the Ambulance Act.

vi. A home for special care within the meaning of the Homes for Special Care Act.

vii. A centre, program or service for community health or mental health whose primary purpose is the provision of health care.

5. An evaluator within the meaning of the Health Care Consent Act, 1996 or an assessor within the meaning of the Substitute Decisions Act, 1992.

6. A medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act.

7. The Minister, together with the Ministry of the Minister if the context so requires.

(3) Except as is prescribed, a person described in any of the following paragraphs is not a health information custodian in respect of personal health information that the person collects, uses or discloses while performing the person’s powers or duties or the work described in the paragraph, if any:

1. A person described in paragraph 1, 2 or 5 of the definition of “health information custodian” in subsection (1) who is an agent of a health information custodian.

2. A person who is authorized to act for or on behalf of a person that is not a health information custodian, if the scope of duties of the authorized person does not include the provision of health care.

3. The Minister when acting on behalf of an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act that is not a health information custodian. 2004, c. 3, Sched. A, s. 3 (3).

Other exceptions

(4) A health information custodian does not include a person described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the work described in the paragraph:

1. An aboriginal healer who provides traditional healing services to aboriginal persons or members of an aboriginal community.

2. An aboriginal midwife who provides traditional midwifery services to aboriginal persons or members of an aboriginal community.

3. A person who treats another person solely by prayer or spiritual means in accordance with the tenets of the religion of the person giving the treatment. 2004, c. 3, Sched. A, s. 3 (4).

Multiple facilities

(5) Subject to subsection (6) or an order of the Minister under subsection (8), a health information custodian that operates more than one facility described in one of the subparagraphs of paragraph 4 of the definition of “health information custodian” in subsection (1) shall be deemed to be a separate custodian with respect to personal health information of which it has custody or control as a result of or in connection with operating each of the facilities that it operates. 2004, c. 3, Sched. A, s. 3 (5).

Single custodian

(6) Despite subsection (5), the following persons shall be deemed to be a single health information custodian with respect to all the functions described in the applicable paragraph, if any:

1. A person who operates a hospital within the meaning of the Public Hospitals Act and any of the facilities, programs or services described in paragraph 4 of the definition of “health information custodian” in subsection (1).

(7) A health information custodian that operates more than one facility described in one of the subparagraphs of paragraph 4 of the definition of “health information custodian” in subsection (1) or two or more health information custodians may apply to the Minister, in a form approved by the Minister, for an order described in subsection (8). 2004, c. 3, Sched. A, s. 3 (7).

Minister’s order

(8) Upon receiving an application described in subsection (7), the Minister may make an order permitting all or some of the applicants to act as a single health information custodian on behalf of those facilities, powers, duties or work that the Minister specifies, subject to the terms that the Minister considers appropriate and specifies in the order, if the Minister is of the opinion that it is appropriate to make the order in the circumstances, having regard to,

(a) the public interest;

(b) the ability of the applicants to provide individuals with reasonable access to their personal health information;

(c) the ability of the applicants to comply with the requirements of this Act; and

(9) In an order made under subsection (8), the Minister may order that any class of health information custodians that the Minister considers to be situated similarly to the applicants is permitted to act as a single health information custodian, subject to the terms that the Minister considers appropriate and specifies in the order, if the Minister is of the opinion that it is appropriate to so order, having regard to,

(a) the public interest;

(b) the ability of the custodians that are subject to the order made under this subsection to provide individuals with reasonable access to their personal health information;

(c) the ability of the custodians that are subject to the order made under this subsection to comply with the requirements of this Act; and

(d) whether permitting the custodians that are subject to the order made under this subsection to act as a single health information custodian is necessary to enable them to effectively provide integrated health care. 2004, c. 3, Sched. A, s. 3 (9).

No hearing required

(10) The Minister is not required to hold a hearing or to afford to any person an opportunity for a hearing before making an order under subsection (8). 2004, c. 3, Sched. A, s. 3 (10).

Duration

(11) Subject to subsection (12), a health information custodian does not cease to be a health information custodian with respect to a record of personal health information until complete custody and control of the record, where applicable, passes to another person who is legally authorized to hold the record. 2004, c. 3, Sched. A, s. 3 (11).

Death of custodian

(12) If a health information custodian dies, the following person shall be deemed to be the health information custodian with respect to records of personal health information held by the deceased custodian until custody and control of the records, where applicable, passes to another person who is legally authorized to hold the records:

1. The estate trustee of the deceased custodian.

2. The person who has assumed responsibility for the administration of the deceased custodian’s estate, if the estate does not have an estate trustee. 2004, c. 3, Sched. A, s. 3 (12).

“identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual. 2004, c. 3, Sched. A, s. 4 (2).

Mixed records

(3) Personal health information includes identifying information that is not personal health information described in subsection (1) but that is contained in a record that contains personal health information described in that subsection. 2009, c. 33, Sched. 18, s. 25 (3).

Exception

(4) Personal health information does not include identifying information contained in a record that is in the custody or under the control of a health information custodian if,

(a) the identifying information contained in the record relates primarily to one or more employees or other agents of the custodian; and

(b) the record is maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employees or other agents. 2004, c. 3, Sched. A, s. 4 (4).

“substitute decision-maker”, in relation to an individual, means, unless the context requires otherwise, a person who is authorized under this Act to consent on behalf of the individual to the collection, use or disclosure of personal health information about the individual. 2004, c. 3, Sched. A, s. 5 (1).

Decision about treatment

(2) A substitute decision-maker of an individual within the meaning of section 9 of the Health Care Consent Act, 1996 shall be deemed to be a substitute decision-maker of the individual in respect of the collection, use or disclosure of personal health information about the individual if the purpose of the collection, use or disclosure is necessary for, or ancillary to, a decision about a treatment under Part II of that Act. 2004, c. 3, Sched. A, s. 5 (2).

Admission to a care facility

(3) A substitute decision-maker of an individual within the meaning of section 39 of the Health Care Consent Act, 1996 shall be deemed to be a substitute decision-maker of the individual in respect of the collection, use or disclosure of personal health information about the individual if the purpose of the collection, use or disclosure is necessary for, or ancillary to, a decision about admission to a care facility under Part III of that Act. 2004, c. 3, Sched. A, s. 5 (3).

Note: On a day to be named by proclamation of the Lieutenant Governor, section 5 of the Act is amended by adding the following subsection: (See: 2017, c. 25, Sched. 5, s. 69)

Confining in a care facility

(3.1) A substitute decision-maker of an individual within the meaning of section 54.4 of the Health Care Consent Act, 1996 shall be deemed to be a substitute decision-maker of the individual in respect of the collection, use or disclosure of personal health information about the individual if the purpose of the collection, use or disclosure is necessary for, or ancillary to, a decision about confining in a care facility under Part III.1 of that Act. 2017, c. 25, Sched. 5, s. 69.

Personal assistance services

(4) A substitute decision-maker of an individual within the meaning of section 56 of the Health Care Consent Act, 1996 shall be deemed to be a substitute decision-maker of the individual in respect of the collection, use or disclosure of personal health information about the individual if the purpose of the collection, use or disclosure is necessary for, or ancillary to, a decision about a personal assistance service under Part IV of that Act. 2004, c. 3, Sched. A, s. 5 (4).

6 (1) For the purposes of this Act, the providing of personal health information between a health information custodian and an agent of the custodian is a use by the custodian, and not a disclosure by the person providing the information or a collection by the person to whom the information is provided. 2004, c. 3, Sched. A, s. 6 (1).

Provisions based on consent

(2) A provision of this Act that applies to the collection, use or disclosure of personal health information about an individual by a health information custodian with the consent of the individual, whatever the nature of the consent, does not affect the collection, use or disclosure that this Act permits or requires the health information custodian to make of the information without the consent of the individual. 2004, c. 3, Sched. A, s. 6 (2).

Permissive disclosure

(3) A provision of this Act that permits a health information custodian to disclose personal health information about an individual without the consent of the individual,

(a) does not require the custodian to disclose it unless required to do so by law;

(b) does not relieve the custodian from a legal requirement to disclose the information; and

(c) does not prevent the custodian from obtaining the individual’s consent for the disclosure. 2004, c. 3, Sched. A, s. 6 (3).

Application of Act

Application of Act

7(1) Except if this Act or its regulations specifically provide otherwise, this Act applies to,

(a) the collection of personal health information by a health information custodian on or after the day this section comes into force;

(b) the use or disclosure of personal health information, on or after the day this section comes into force, by,

(i) a health information custodian, even if the custodian collected the information before that day, or

(ii) a person who is not a health information custodian and to whom a health information custodian disclosed the information, even if the person received the information before that day; and

(c) the collection, use or disclosure of a health number by any person on or after the day this section comes into force. 2004, c. 3, Sched. A, s. 7 (1).

Conflict

(2) In the event of a conflict between a provision of this Act or its regulations and a provision of any other Act or its regulations, this Act and its regulations prevail unless this Act, its regulations or the other Act specifically provide otherwise. 2004, c. 3, Sched. A, s. 7 (2).

Interpretation

(3) For the purpose of this section, there is no conflict unless it is not possible to comply with both this Act and its regulations and any other Act or its regulations. 2004, c. 3, Sched. A, s. 7 (3).

Exception

(4) This Act and its regulations do not prevail in the event of a conflict between a provision of this Act or its regulations and a provision of the Quality of Care Information Protection Act, 2004 or its regulations. 2004, c. 3, Sched. A, s. 7 (4).

Crown bound

(5) For greater certainty, this Act binds the Crown, including all ministries, agencies and employees of the Crown. 2007, c. 10, Sched. H, s. 3.

8(1) Subject to subsection (2), the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act do not apply to personal health information in the custody or under the control of a health information custodian unless this Act specifies otherwise. 2007, c. 10, Sched. H, s. 4.

Exceptions

(2) Sections 11, 12, 15, 16, 17, 33 and 34, subsection 35 (2) and sections 36 and 44 of the Freedom of Information and Protection of Privacy Act and sections 5, 9, 10, 25, 26 and 34 of the Municipal Freedom of Information and Protection of Privacy Act apply in respect of records of personal health information in the custody or under the control of a health information custodian that is an institution within the meaning of either of those Acts, as the case may be, or that is acting as part of such an institution. 2007, c. 10, Sched. H, s. 4.

Same

(3) A record of personal health information prepared by or in the custody or control of an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act shall be deemed to be a record to which clause 32 (b) of the Freedom of Information and Protection of Privacy Act or clause 25 (1) (b) of the Municipal Freedom of Information and Protection of Privacy Act applies, as the case may be. 2004, c. 3, Sched. A, s. 8 (3).

Access

(4) This Act does not limit a person’s right of access under section 10 of the Freedom of Information and Protection of Privacy Act or section 4 of the Municipal Freedom of Information and Protection of Privacy Act to a record of personal health information if all the types of information referred to in subsection 4 (1) are reasonably severed from the record. 2004, c. 3, Sched. A, s. 8 (4).

Transition

(5) This Act does not apply to a collection, use or disclosure of personal health information, a request for access or an appeal made under the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act before the day this section comes into force, and the applicable Act continues to apply to the collection, use, disclosure, request or appeal. 2004, c. 3, Sched. A, s. 8 (5).

9 (1) This Act does not apply to personal health information about an individual after the earlier of 120 years after a record containing the information was created and 50 years after the death of the individual. 2004, c. 3, Sched. A, s. 9 (1).

Other rights and Acts

(2) Nothing in this Act shall be construed to interfere with,

(a) anything in connection with a subrogated claim or a potential subrogated claim;

(b) any legal privilege, including solicitor-client privilege;

(c) the law of evidence or information otherwise available by law to a party or a witness in a proceeding;

(d) the power of a court or a tribunal to compel a witness to testify or to compel the production of a document;

(e) the regulatory activities of a College under the Regulated Heath Professions Act, 1991, the College under the Social Work and Social Service Work Act, 1998
or the Board under the Drugless Practitioners Act; or

(f) any provision of any Act of Ontario or Canada or any court order, if the provision or order, as the case may be, prohibits a person from making information public or from publishing information. 2004, c. 3, Sched. A, s. 9 (2).

PART II PRACTICES TO PROTECT PERSONAL HEALTH INFORMATION

General

Information practices

10(1) A health information custodian that has custody or control of personal health information shall have in place information practices that comply with the requirements of this Act and its regulations. 2004, c. 3, Sched. A, s. 10 (1).

(4) A person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 10 (4).

Accuracy

11 (1) A health information custodian that uses personal health information about an individual shall take reasonable steps to ensure that the information is as accurate, complete and up-to-date as is necessary for the purposes for which it uses the information. 2004, c. 3, Sched. A, s. 11 (1).

(a) take reasonable steps to ensure that the information is as accurate, complete and up-to-date as is necessary for the purposes of the disclosure that are known to the custodian at the time of the disclosure; or

(b) clearly set out for the recipient of the disclosure the limitations, if any, on the accuracy, completeness or up-to-date character of the information. 2004, c. 3, Sched. A, s. 11 (2).

Steps to ensure collection

11.1 A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority. 2016, c. 6, Sched. 1, s. 1 (3).

12 (1) A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. 2004, c. 3, Sched. A, s. 12 (1).

Notice of theft, loss, etc. to individual

(2) Subject to subsection (4) and to the exceptions and additional requirements, if any, that are prescribed, if personal health information about an individual that is in the custody or control of a health information custodian is stolen or lost or if it is used or disclosed without authority, the health information custodian shall,

(a) notify the individual at the first reasonable opportunity of the theft or loss or of the unauthorized use or disclosure; and

(b) include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI. 2016, c. 6, Sched. 1, s. 1 (4).

Notice to Commissioner

(3) If the circumstances surrounding a theft, loss or unauthorized use or disclosure referred to in subsection (2) meet the prescribed requirements, the health information custodian shall notify the Commissioner of the theft or loss or of the unauthorized use or disclosure. 2016, c. 6, Sched. 1, s. 1 (4).

Exception

(4) If the health information custodian is a researcher who has received the personal health information from another health information custodian under subsection 44 (1), the researcher shall not notify the individual if the information is stolen or lost or if it is used or disclosed without authority, unless the health information custodian that disclosed the personal health information under subsection 44 (1),

(a) first obtains the individual’s consent to having the researcher contact the individual; and

(b) informs the researcher that the individual has given the consent. 2016, c. 6, Sched. 1, s. 1 (4).

13 (1)A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any. 2004, c. 3, Sched. A, s. 13 (1).

Retention of records subject to a request

(2) Despite subsection (1), a health information custodian that has custody or control of personal health information that is the subject of a request for access under section 53 shall retain the information for as long as necessary to allow the individual to exhaust any recourse under this Act that he or she may have with respect to the request. 2004, c. 3, Sched. A, s. 13 (2).

Place where records kept

14 (1) A health information custodian may keep a record of personal health information about an individual in the individual’s home in any reasonable manner to which the individual consents, subject to any restrictions set out in a regulation, by-law or published guideline under the Regulated Health Professions Act, 1991, an Act referred to in Schedule 1 of that Act, the Drugless Practitioners Act or the Social Work and Social Service Work Act, 1998. 2004, c. 3, Sched. A, s. 14 (1).

Records kept in other places

(2) A health care practitioner may keep a record of personal health information about an individual in a place other than the individual’s home and other than a place in the control of the practitioner if,

(a) the record is kept in a reasonable manner;

(b) the individual consents;

(c) the health care practitioner is permitted to keep the record in the place in accordance with a regulation, by-law or published guideline under the Regulated Health Professions Act, 1991, an Act referred to in Schedule 1 to that Act, the Drugless Practitioners Act or the Social Work and Social Service Work Act, 1998, if the health care practitioner is described in any of clauses (a) to (c) of the definition of “health care practitioner” in section 2; and

(3) A contact person is an agent of the health information custodian and is authorized on behalf of the custodian to,

(a) facilitate the custodian’s compliance with this Act;

(b) ensure that all agents of the custodian are appropriately informed of their duties under this Act;

(c) respond to inquiries from the public about the custodian’s information practices;

(d) respond to requests of an individual for access to or correction of a record of personal health information about the individual that is in the custody or under the control of the custodian; and

(e) receive complaints from the public about the custodian’s alleged contravention of this Act or its regulations. 2004, c. 3, Sched. A, s. 15 (3).

If no contact person

(4) A health information custodian that is a natural person and that does not designate a contact person under subsection (1) shall perform on his or her own the functions described in clauses (3) (b), (c), (d) and (e). 2004, c. 3, Sched. A, s. 15 (4).

Written public statement

16 (1) A health information custodian shall, in a manner that is practical in the circumstances, make available to the public a written statement that,

(a) provides a general description of the custodian’s information practices;

(b) describes how to contact,

(i) the contact person described in subsection 15 (3), if the custodian has one, or

(ii) the custodian, if the custodian does not have that contact person;

(c) describes how an individual may obtain access to or request correction of a record of personal health information about the individual that is in the custody or control of the custodian; and

(d) describes how to make a complaint to the custodian and to the Commissioner under this Act. 2004, c. 3, Sched. A, s. 16 (1).

Notification

(2) If a health information custodian uses or discloses personal health information about an individual, without the individual’s consent,in a manner that is outside the scope of the custodian’s description of its information practices under clause (1) (a), the custodian shall,

(a) inform the individual of the uses and disclosures at the first reasonable opportunity unless, under section 52, the individual does not have a right of access to a record of the information;

(b) make a note of the uses and disclosures; and

(c) keep the note as part of the records of personal health information about the individual that it has in its custody or under its control or in a form that is linked to those records. 2004, c. 3, Sched. A, s. 16 (2).

Agents and information

17 (1) A health information custodian is responsible for personal health information in the custody or control of the health information custodian and may permit the custodian’s agents to collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf only if,

(a) the custodian is permitted or required to collect, use, disclose, retain or dispose of the information, as the case may be;

(b) the collection, use, disclosure, retention or disposal of the information, as the case may be, is necessary in the course of the agent’s duties and is not contrary to this Act or another law; and

(a) take steps that are reasonable in the circumstances to ensure that no agent of the custodian collects, uses, discloses, retains or disposes of personal health information unless it is in accordance with subsection (2); and

(b) remain responsible for any personal health information that is collected, used, disclosed, retained or disposed of by the custodian’s agents, regardless of whether or not the collection, use, disclosure, retention or disposal was carried out in accordance with subsection (2). 2016, c. 6, Sched. 1, s. 1 (7).

Responsibilities of the agent

(4) An agent of a health information custodian shall,

(a) comply with the conditions or restrictions imposed by the health information custodian on the agent’s collection, use, disclosure, retention or disposal of personal health information under subsection (1.1); and

(b) notify the custodian at the first reasonable opportunity if personal health information that the agent collected, used, disclosed, retained or disposed of on behalf of the custodian is stolen or lost or if it is used or disclosed without authority. 2016, c. 6, Sched. 1, s. 1 (7).

(a) in the case of a member of health profession regulated under the Regulated Health Professions Act, 1991, a College of the health profession named in Schedule 1 to that Act, and

(b) in the case of a member of the Ontario College of Social Workers and Social Service Workers, that College. 2016, c. 6, Sched. 1, s. 1 (8).

Termination, suspension, etc. of employed members

(2) Subject to any exceptions and additional requirements, if any, that are prescribed, if a health information custodian employs a health care practitioner who is a member of a College, the health information custodian shall give written notice of any of the following events to the College within 30 days of the event occurring:

1. The employee is terminated, suspended or subject to disciplinary action as a result of the unauthorized collection, use, disclosure, retention or disposal of personal health information by the employee.

2. The employee resigns and the health information custodian has reasonable grounds to believe that the resignation is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the employee. 2016, c. 6, Sched. 1, s. 1 (8).

Same, custodian’s agent

(3) Subject to any exceptions and additional requirements, if any, that are prescribed, a health information custodian shall give written notice of an event described in subsection (4) to a College if,

(a) the health information custodian is a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act; and

(b) a health care practitioner, who is a member of the College, is employed to provide health care for the board of health and is an agent of the custodian. 2016, c. 6, Sched. 1, s. 1 (8).

Same

(4) The health information custodian shall give written notice of any of the following events to a College within 30 days of the event occurring:

1. The agent’s employment is terminated or suspended, or the agent is subject to disciplinary action with respect to his or her employment, as a result of his or her unauthorized collection, use, disclosure, retention or disposal of personal health information.

2. The agent resigns from his or her employment and the health information custodian has reasonable grounds to believe that the resignation is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the agent. 2016, c. 6, Sched. 1, s. 1 (8).

Member’s privileges revoked, etc.

(5) Subject to any exceptions and additional requirements, if any, that are prescribed, if a health information custodian extends privileges to, or is otherwise affiliated with, a health care practitioner who is a member of a College, the custodian shall give written notice of any of the following events to the College within 30 days of the event occurring:

1. The member’s privileges are revoked, suspended or restricted, or his or her affiliation is revoked, suspended or restricted, as a result of the unauthorized collection, use, disclosure, retention or disposal of personal health information by the member.

2. The member relinquishes or voluntarily restricts his or her privileges or his or her affiliation and the health information custodian has reasonable grounds to believe that the relinquishment or restriction is related to an investigation or other action by the custodian with respect to an alleged unauthorized collection, use, disclosure, retention or disposal of personal health information by the member. 2016, c. 6, Sched. 1, s. 1 (8).

(2) Subject to subsection (3), a consent to the collection, use or disclosure of personal health information about an individual may be express or implied. 2004, c. 3, Sched. A, s. 18 (2).

Exception

(3) A consent to the disclosure of personal health information about an individual must be express, and not implied, if,

(a) a health information custodian makes the disclosure to a person that is not a health information custodian; or

(b) a health information custodian makes the disclosure to another health information custodian and the disclosure is not for the purposes of providing health care or assisting in providing health care. 2004, c. 3, Sched. A, s. 18 (3).

Same

(4) Subsection (3) does not apply to,

(a) a disclosure pursuant to an implied consent described in subsection 20 (4);

(b) a disclosure pursuant to clause 32 (1) (b); or

(c) a prescribed type of disclosure that does not include information about an individual’s state of health. 2004, c. 3, Sched. A, s. 18 (4).

Knowledgeable consent

(5) A consent to the collection, use or disclosure of personal health information about an individual is knowledgeable if it is reasonable in the circumstances to believe that the individual knows,

(a) the purposes of the collection, use or disclosure, as the case may be; and

(6) Unless it is not reasonable in the circumstances, it is reasonable to believe that an individual knows the purposes of the collection, use or disclosure of personal health information about the individual by a health information custodian if the custodian posts or makes readily available a notice describing the purposes where it is likely to come to the individual’s attention or provides the individual with such a notice. 2004, c. 3, Sched. A, s. 18 (6).

Transition

(7) A consent that an individual gives, before the day that subsection (1) comes into force, to a collection, use or disclosure of information that is personal health information is a valid consent if it meets the requirements of this Act for consent. 2004, c. 3, Sched. A, s. 18 (7).

Withdrawal of consent

19 (1)If an individual consents to have a health information custodian collect, use or disclose personal health information about the individual, the individual may withdraw the consent, whether the consent is express or implied, by providing notice to the health information custodian, but the withdrawal of the consent shall not have retroactive effect. 2004, c. 3, Sched. A, s. 19 (1).

Conditional consent

(2) If an individual places a condition on his or her consent to have a health information custodian collect, use or disclose personal health information about the individual, the condition is not effective to the extent that it purports to prohibit or restrict any recording of personal health information by a health information custodian that is required by law or by established standards of professional practice or institutional practice. 2004, c. 3, Sched. A, s. 19 (2).

Assumption of validity

20 (1) A health information custodian who has obtained an individual’s consent to a collection, use or disclosure of personal health information about the individual or who has received a copy of a document purporting to record the individual’s consent to the collection, use or disclosure is entitled to assume that the consent fulfils the requirements of this Act and the individual has not withdrawn it, unless it is not reasonable to assume so. 2004, c. 3, Sched. A, s. 20 (1).

Implied consent

(2) A health information custodian described in paragraph 1, 2 or 4 of the definition of “health information custodian” in subsection 3 (1), that receives personal health information about an individual from the individual, the individual’s substitute decision-maker or another health information custodian for the purpose of providing health care or assisting in the provision of health care to the individual, is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information for the purposes of providing health care or assisting in providing health care to the individual, unless the custodian that receives the information is aware that the individual has expressly withheld or withdrawn the consent. 2004, c. 3, Sched. A, s. 20 (2); 2016, c. 30, s. 43 (3).

Limited consent

(3) If a health information custodian discloses, with the consent of an individual, personal health information about the individual to a health information custodian described in paragraph 1, 2 or 4 of the definition of “health information custodian” in subsection 3 (1) for the purpose of the provision of health care to the individual and if the disclosing custodian does not have the consent of the individual to disclose all the personal health information about the individual that it considers reasonably necessary for that purpose, the disclosing custodian shall notify the custodian to whom it disclosed the information of that fact. 2004, c. 3, Sched. A, s. 20 (3); 2016, c. 30, s. 43 (3).

Implied consent, affiliation

(4) If an individual who is a resident or patient in a facility that is a health information custodian provides to the custodian information about his or her religious or other organizational affiliation, the facility may assume that it has the individual’s implied consent to provide his or her name and location in the facility to a representative of the religious or other organization, where the custodian has offered the individual the opportunity to withhold or withdraw the consent and the individual has not done so. 2004, c. 3, Sched. A, s. 20 (4).

(2) An individual may be capable of consenting to the collection, use or disclosure of some parts of personal health information, but incapable of consenting with respect to other parts. 2004, c. 3, Sched. A, s. 21 (2).

Different times

(3) An individual may be capable of consenting to the collection, use or disclosure of personal health information at one time, but incapable of consenting at another time. 2004, c. 3, Sched. A, s. 21 (3).

Presumption of capacity

(4) An individual is presumed to be capable of consenting to the collection, use or disclosure of personal health information. 2004, c. 3, Sched. A, s. 21 (4).

Non-application

(5) A health information custodian may rely on the presumption described in subsection (4) unless the custodian has reasonable grounds to believe that the individual is incapable of consenting to the collection, use or disclosure of personal health information. 2004, c. 3, Sched. A, s. 21 (5).

Determination of incapacity

22 (1) A health information custodian that determines the incapacity of an individual to consent to the collection, use or disclosure of personal health information under this Act shall do so in accordance with the requirements and restrictions, if any, that are prescribed. 2004, c. 3, Sched. A, s. 22 (1).

Information about determination

(2) If it is reasonable in the circumstances, a health information custodian shall provide, to an individual determined incapable of consenting to the collection, use or disclosure of his or her personal health information by the custodian, information about the consequences of the determination of incapacity, including the information, if any, that is prescribed. 2004, c. 3, Sched. A, s. 22 (2).

Review of determination

(3) An individual whom a health information custodian determines is incapable of consenting to the collection, use or disclosure of his or her personal health information by a health information custodian may apply to the Board for a review of the determination unless there is a person who is entitled to act as the substitute decision-maker of the individual under subsection 5 (2), (3) or (4). 2004, c. 3, Sched. A, s. 22 (3).

Note: On a day to be named by proclamation of the Lieutenant Governor, subsection 22 (3) of the Act is amended by striking out “(3) or (4)” at the end and substituting “(3), (3.1) or (4)”. (See: 2017, c. 25, Sched. 5, s. 70)

Parties

(4) The parties to the application are:

1. The individual applying for the review of the determination.

2. The health information custodian that has custody or control of the personal health information.

(5) The Board may confirm the determination of incapacity or may determine that the individual is capable of consenting to the collection, use or disclosure of personal health information. 2004, c. 3, Sched. A, s. 22 (5).

Restriction on repeated applications

(6) If a determination that an individual is incapable with respect to consenting to the collection, use or disclosure of personal health information is confirmed on the final disposition of an application under this section, the individual shall not make a new application under this section for a determination with respect to the same or a similar issue within six months after the final disposition of the earlier application, unless the Board gives leave in advance. 2004, c. 3, Sched. A, s. 22 (6).

Grounds for leave

(7) The Board may give leave for the new application to be made if it is satisfied that there has been a material change in circumstances that justifies reconsideration of the individual’s capacity. 2004, c. 3, Sched. A, s. 22 (7).

23(1) If this Act or any other Act refers to a consent required of an individual to a collection, use or disclosure by a health information custodian of personal health information about the individual, a person described in one of the following paragraphs may give, withhold or withdraw the consent:

1. If the individual is capable of consenting to the collection, use or disclosure of the information,

i. the individual, or

ii. if the individual is at least 16 years of age, any person who is capable of consenting, whom the individual has authorized in writing to act on his or her behalf and who, if a natural person, is at least 16 years of age.

2. If the individual is a child who is less than 16 years of age, a parent of the child or a children’s aid society or other person who is lawfully entitled to give or refuse consent in the place of the parent unless the information relates to,

i. treatment within the meaning of the Health Care Consent Act, 1996, about which the child has made a decision on his or her own in accordance with that Act, or

ii. counselling in which the child has participated on his or her own under the Child, Youth and Family Services Act, 2017.

3. If the individual is incapable of consenting to the collection, use or disclosure of the information, a person who is authorized under subsection 5 (2), (3) or (4) or section 26 to consent on behalf of the individual.

Note: On a day to be named by proclamation of the Lieutenant Governor, paragraph 3 of subsection 23 (1) of the Act is amended by striking out “(3) or (4)” and substituting “(3), (3.1) or (4)”. (See: 2017, c. 25, Sched. 5, s. 71)

4. If the individual is deceased, the deceased’s estate trustee or the person who has assumed responsibility for the administration of the deceased’s estate, if the estate does not have an estate trustee.

“parent” does not include a parent who has only a right of access to the child. 2004, c. 3, Sched. A, s. 23 (2).

Conflict if child capable

(3) If the individual is a child who is less than 16 years of age and who is capable of consenting to the collection, use or disclosure of the information and if there is a person who is entitled to act as the substitute decision-maker of the child under paragraph 2 of subsection (1), a decision of the child to give, withhold or withdraw the consent or to provide the information prevails over a conflicting decision of that person. 2004, c. 3, Sched. A, s. 23 (3).

24 (1) A person who consents under this Act or any other Act on behalf of or in the place of an individual to a collection, use or disclosure of personal health information by a health information custodian, who withholds or withdraws such a consent or who provides an express instruction under clause 37 (1) (a), 38 (1) (a) or 50 (1) (e) shall take into consideration,

(a) the wishes, values and beliefs that,

(i) if the individual is capable, the person knows the individual holds and believes the individual would want reflected in decisions made concerning the individual’s personal health information, or

(ii) if the individual is incapable or deceased, the person knows the individual held when capable or alive and believes the individual would have wanted reflected in decisions made concerning the individual’s personal health information;

(b) whether the benefits that the person expects from the collection, use or disclosure of the information outweigh the risk of negative consequences occurring as a result of the collection, use or disclosure;

(c) whether the purpose for which the collection, use or disclosure is sought can be accomplished without the collection, use or disclosure; and

(2) If a substitute decision-maker, on behalf of an incapable individual, gives, withholds or withdraws a consent to a collection, use or disclosure of personal health information about the individual by a health information custodian or provides an express instruction under clause 37 (1) (a), 38 (1) (a) or 50 (1) (e) and if the custodian is of the opinion that the substitute decision-maker has not complied with subsection (1), the custodian may apply to the Board for a determination as to whether the substitute decision-maker complied with that subsection. 2004, c. 3, Sched. A, s. 24 (2).

Deemed application concerning capacity

(2.1) An application to the Board under subsection (2) shall be deemed to include an application to the Board under subsection 22 (3) with respect to the individual’s capacity to consent to the collection, use or disclosure of his or her personal health information, unless the individual’s capacity has been determined by the Board within the previous six months. 2007, c. 10, Sched. H, s. 6.

(4) In determining whether the substitute decision-maker complied with subsection (1), the Board may substitute its opinion for that of the substitute decision-maker. 2004, c. 3, Sched. A, s. 24 (4).

Directions

(5) If the Board determines that the substitute decision-maker did not comply with subsection (1), it may give him or her directions and, in doing so, shall take into consideration the matters set out in clauses (1) (a) to (d). 2004, c. 3, Sched. A, s. 24 (5).

Time for compliance

(6) The Board shall specify the time within which the substitute decision-maker must comply with its directions. 2004, c. 3, Sched. A, s. 24 (6).

Deemed not authorized

(7) If the substitute decision-maker does not comply with the Board’s directions within the time specified by the Board, he or she shall be deemed not to meet the requirements of subsection 26 (2). 2004, c. 3, Sched. A, s. 24 (7).

Public Guardian and Trustee

(8) If the substitute decision-maker who is given directions is the Public Guardian and Trustee, he or she is required to comply with the directions and subsection (6) does not apply to him or her. 2004, c. 3, Sched. A, s. 24 (8).

25(1) If this Act permits or requires an individual to make a request, give an instruction or take a step and a substitute decision-maker is authorized to consent on behalf of the individual to the collection, use or disclosure of personal health information about the individual, the substitute decision-maker may make the request, give the instruction or take the step on behalf of the individual. 2004, c. 3, Sched. A, s. 25 (1).

Same

(2) If a substitute decision-maker makes a request, gives an instruction or takes a step under subsection (1) on behalf of an individual, references in this Act to the individual with respect to the request made, the instruction given or the step taken by the substitute decision-maker shall be read as references to the substitute decision-maker, and not to the individual. 2004, c. 3, Sched. A, s. 25 (2).

Incapable individual: persons who may consent

26(1) If an individual is determined to be incapable of consenting to the collection, use or disclosure of personal health information by a health information custodian, a person described in one of the following paragraphs may, on the individual’s behalf and in the place of the individual, give, withhold or withdraw the consent:

1. The individual’s guardian of the person or guardian of property, if the consent relates to the guardian’s authority to make a decision on behalf of the individual.

2. The individual’s attorney for personal care or attorney for property, if the consent relates to the attorney’s authority to make a decision on behalf of the individual.

3. The individual’s representative appointed by the Board under section 27, if the representative has authority to give the consent.

4. The individual’s spouse or partner.

5. A child or parent of the individual, or a children’s aid society or other person who is lawfully entitled to give or refuse consent in the place of the parent. This paragraph does not include a parent who has only a right of access to the individual. If a children’s aid society or other person is lawfully entitled to consent in the place of the parent, this paragraph does not include the parent.

6. A parent of the individual with only a right of access to the individual.

(2) A person described in subsection (1) may consent only if the person,

(a) is capable of consenting to the collection, use or disclosure of personal health information by a health information custodian;

(b) in the case of an individual, is at least 16 years old or is the parent of the individual to whom the personal health information relates;

(c) is not prohibited by court order or separation agreement from having access to the individual to whom the personal health information relates or from giving or refusing consent on the individual’s behalf;

(d) is available; and

(e) is willing to assume the responsibility of making a decision on whether or not to consent. 2004, c. 3, Sched. A, s. 26 (2).

Meaning of “available”

(3) For the purpose of clause (2) (d), a person is available if it is possible, within a time that is reasonable in the circumstances, to communicate with the person and obtain a consent. 2004, c. 3, Sched. A, s. 26 (3).

Ranking

(4) A person described in a paragraph of subsection (1) may consent only if no person described in an earlier paragraph meets the requirements of subsection (2). 2004, c. 3, Sched. A, s. 26 (4).

Same

(5) Despite subsection (4), a person described in a paragraph of subsection (1) who is present or has otherwise been contacted may consent if the person believes that,

(a) no other person described in an earlier paragraph or the same paragraph exists; or

(b) although such other person exists, the other person is not a person described in paragraph 1, 2 or 3 of subsection (1) and would not object to the person who is present or has otherwise been contacted making the decision. 2004, c. 3, Sched. A, s. 26 (5); 2007, c. 10, Sched. H, s. 7.

Public Guardian and Trustee

(6) If no person described in subsection (1) meets the requirements of subsection (2), the Public Guardian and Trustee may make the decision to consent. 2004, c. 3, Sched. A, s. 26 (6).

Conflict between persons in same paragraph

(7) If two or more persons who are described in the same paragraph of subsection (1) and who meet the requirements of subsection (2) disagree about whether to consent, and if their claims rank ahead of all others, the Public Guardian and Trustee may make the decision in their stead. 2004, c. 3, Sched. A, s. 26 (7).

Transition, representative appointed by individual

(8) Where an individual, to whom personal health information relates, appointed a representative under section 36.1 of the Mental Health Act before the day this section comes into force, the representative shall be deemed to have the same authority as a person mentioned in paragraph 2 of subsection (1). 2004, c. 3, Sched. A, s. 26 (8).

Limited authority

(9) The authority conferred on the representative by subsection (8) is limited to the purposes for which the representative was appointed. 2004, c. 3, Sched. A, s. 26 (9).

Revocation

(10) An individual who is capable of consenting with respect to personal health information may revoke the appointment mentioned in subsection (8) in writing. 2004, c. 3, Sched. A, s. 26 (10).

Ranking

(11) A person who is entitled to be the substitute decision-maker of the individual under this section may act as the substitute decision-maker only in circumstances where there is no person who may act as the substitute decision-maker of the individual under subsection 5 (2), (3) or (4). 2004, c. 3, Sched. A, s. 26 (11).

Note: On a day to be named by proclamation of the Lieutenant Governor, subsection 26 (11) of the Act is amended by striking out “(3) or (4)” at the end and substituting “(3), (3.1) or (4)”. (See: 2017, c. 25, Sched. 5, s. 72)

27 (1) An individual who is 16 years old or older and who is determined to be incapable of consenting to the collection, use or disclosure of personal health information may apply to the Board for appointment of a representative to consent on the individual’s behalf to a collection, use or disclosure of the information by a health information custodian. 2004, c. 3, Sched. A, s. 27 (1).

Application by proposed representative

(2) If an individual is incapable of consenting to the collection, use or disclosure of personal health information, another individual who is 16 years old or older may apply to the Board to be appointed as a representative to consent on behalf of the incapable individual to a collection, use or disclosure of the information. 2004, c. 3, Sched. A, s. 27 (2).

Deemed application concerning capacity

(2.1) An application to the Board under subsection (1) or (2) shall be deemed to include an application to the Board under subsection 22 (3) with respect to the individual’s capacity to consent to the collection, use or disclosure of his or her personal health information, unless the individual’s capacity has been determined by the Board within the previous six months. 2007, c. 10, Sched. H, s. 8.

Exception

(3) Subsections (1) and (2) do not apply if the individual to whom the personal health information relates has a guardian of the person, a guardian of property, an attorney for personal care, or an attorney for property, who has authority to give or refuse consent to the collection, use or disclosure. 2004, c. 3, Sched. A, s. 27 (3).

Parties

(4) The parties to the application are:

1. The individual to whom the personal health information relates.

2. The proposed representative named in the application.

3. Every person who is described in paragraph 4, 5, 6 or 7 of subsection 26 (1).

(5) In an appointment under this section, the Board may authorize the representative to consent, on behalf of the individual to whom the personal health information relates, to,

(a) a particular collection, use or disclosure at a particular time;

(b) a collection, use or disclosure of the type specified by the Board in circumstances specified by the Board, if the individual is determined to be incapable of consenting to the collection, use or disclosure of personal health information at the time the consent is sought; or

(c) any collection, use or disclosure at any time, if the individual is determined to be incapable of consenting to the collection, use or disclosure of personal health information at the time the consent is sought. 2004, c. 3, Sched. A, s. 27 (5).

Criteria for appointment

(6) The Board may make an appointment under this section if it is satisfied that the following requirements are met:

1. The individual to whom the personal health information relates does not object to the appointment.

2. The representative consents to the appointment, is at least 16 years old and is capable of consenting to the collection, use or disclosure of personal health information.

3. The appointment is in the best interests of the individual to whom the personal health information relates. 2004, c. 3, Sched. A, s. 27 (6).

(a) appoint as representative a different individual than the one named in the application;

(b) limit the duration of the appointment;

(c) impose any other condition on the appointment; or

(d) on any person’s application, remove, vary or suspend a condition imposed on the appointment or impose an additional condition on the appointment. 2004, c. 3, Sched. A, s. 27 (7).

Termination

(8) The Board may, on any person’s application, terminate an appointment made under this section if,

(a) the individual to whom the personal health information relates or the representative requests the termination;

(b) the representative is no longer capable of consenting to the collection, use or disclosure of personal health information;

(c) the appointment is no longer in the best interests of the individual to whom the personal health information relates; or

(d) the individual to whom the personal health information relates has a guardian of the person, a guardian of property, an attorney for personal care, or an attorney for property, who has authority to give or refuse consent to the types of collections, uses and disclosures for which the appointment was made and in the circumstances to which the appointment applies. 2004, c. 3, Sched. A, s. 27 (8).

28(1) This Act applies to a representative whom the Board appointed under section 36.2 of the Mental Health Act or who was deemed to be appointed under that section before the day this section comes into force for an individual with respect to the individual’s personal health information, as if the representative were the individual’s representative appointed by the Board under section 27. 2004, c. 3, Sched. A, s. 28 (1).

Limited authority

(2) The authority conferred on the representative by subsection (1) is limited to the purposes for which the representative was appointed. 2004, c. 3, Sched. A, s. 28 (2).

PART IV COLLECTION, USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

General Limitations and Requirements

Requirement for consent

29 A health information custodian shall not collect, use or disclose personal health information about an individual unless,

(a) it has the individual’s consent under this Act and the collection, use or disclosure, as the case may be, to the best of the custodian’s knowledge, is necessary for a lawful purpose; or

(b) the collection, use or disclosure, as the case may be, is permitted or required by this Act. 2004, c. 3, Sched. A, s. 29.

Other information

30 (1) A health information custodian shall not collect, use or disclose personal health information if other information will serve the purpose of the collection, use or disclosure. 2004, c. 3, Sched. A, s. 30 (1).

Extent of information

(2) A health information custodian shall not collect, use or disclose more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure, as the case may be. 2004, c. 3, Sched. A, s. 30 (2).

Exception

(3) This section does not apply to personal health information that a health information custodian is required by law to collect, use or disclose. 2004, c. 3, Sched. A, s. 30 (3).

Use and disclosure of personal health information

31(1)A health information custodian that collects personal health information in contravention of this Act shall not use it or disclose it unless required by law to do so. 2004, c. 3, Sched. A, s. 31 (1).

32(1) Subject to subsection (2), a health information custodian may collect, use or disclose personal health information about an individual for the purpose of fundraising activities only where,

(a) the individual expressly consents; or

(b) the individual consents by way of an implied consent and the information consists only of the individual’s name and the prescribed types of contact information. 2004, c. 3, Sched. A, s. 32 (1); 2007, c. 10, Sched. H, s. 9.

Requirements and restrictions

(2) The manner in which consent is obtained under subsection (1) and the resulting collection, use or disclosure of personal health information for the purpose of fundraising activities shall comply with the requirements and restrictions that are prescribed, if any. 2004, c. 3, Sched. A, s. 32 (2).

33 A health information custodian shall not collect, use or disclose personal health information about an individual for the purpose of marketing anything or for the purpose of market research unless the individual expressly consents and the custodian collects, uses or discloses the information, as the case may be, subject to the prescribed requirements and restrictions, if any. 2004, c. 3, Sched. A, s. 33.

Health cards and health numbers

34 (1) In this section,

“health card” means a card provided to an insured person within the meaning of the Health Insurance Act by the General Manager of the Ontario Health Insurance Plan; (“carte Santé”)

“provincially funded health resource” means a service, thing, subsidy or other benefit funded, in whole or in part, directly or indirectly by the Government of Ontario, if it is health related or prescribed. (“ressource en matière de santé subventionnée par la province”) 2004, c. 3, Sched. A, s. 34 (1).

Collection or use

(2) Despite subsection 49 (1), a person who is neither a health information custodian nor acting as an agent of a health information custodian shall not collect or use another person’s health number except,

(a) for purposes related to the provision of provincially funded health resources to that other person;

(b) for the purposes for which a health information custodian has disclosed the number to the person;

(c) if the person is the governing body of health care practitioners who provide provincially funded health resources and is collecting or using health numbers for purposes related to its duties or powers; or

(d) if the person is prescribed and is collecting or using the health number, as the case may be, for purposes related to health administration, health planning, health research or epidemiological studies. 2007, c. 10, Sched. H, s. 10.

Note: On a day to be named by proclamation of the Lieutenant Governor, subsection 34 (2) of the Act is amended by striking out “or” at the end of clause (c), by adding “or” at the end of clause (d) and by adding the following clause: (See: 2016, c. 6, Sched. 1, s. 1 (9))

(e) if the person is prescribed and is collecting or using the health number, as the case may be, for purposes related to the electronic health record developed and maintained by the prescribed organization.

Disclosure

(3) Despite subsection 49 (1) and subject to the exceptions and additional requirements, if any, that are prescribed, a person who is neither a health information custodian nor acting as an agent of a health information custodian shall not disclose a health number except as required by law. 2007, c. 10, Sched. H, s. 10.

Confidentiality of health cards

(4) No person shall require the production of another person’s health card, but a person who provides a provincially funded health resource to a person who has a health card may require the production of the health card. 2004, c. 3, Sched. A, s. 34 (4).

Exceptions

(5) Subsections (2) and (3) do not apply to,

(a) a person who collects, uses or discloses a health number for the purposes of a proceeding;

(b) a prescribed entity mentioned in subsection 45 (1) that collects, uses or discloses the health number in the course of carrying out its functions under section 45; or

(c) a health data institute that the Minister approves under subsection 47 (9) and that collects, uses or discloses the health number in the course of carrying out its functions under sections 47 and 48. 2004, c. 3, Sched. A, s. 34 (5).

35(1) A health information custodian shall not charge a person a fee for collecting or using personal health information except as authorized by the regulations made under this Act. 2004, c. 3, Sched. A, s. 35 (1).

Same, for disclosure

(2) When disclosing personal health information, a health information custodian shall not charge fees to a person that exceed the prescribed amount or the amount of reasonable cost recovery, if no amount is prescribed. 2004, c. 3, Sched. A, s. 35 (2).

(b) the information to be collected is reasonably necessary for providing health care or assisting in providing health care to the individual and it is not reasonably possible to collect, directly from the individual,

(i) personal health information that can reasonably be relied on as accurate and complete, or

(ii) personal health information in a timely manner;

(c) the custodian is an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act, or is acting as part of such an institution, and the custodian is collecting the information for a purpose related to,

(i) investigating a breach of an agreement or a contravention or an alleged contravention of the laws of Ontario or Canada,

(ii) the conduct of a proceeding or a possible proceeding, or

(iii) the statutory function of the custodian;

(d) the custodian collects the information from a person who is not a health information custodian for the purpose of carrying out research conducted in accordance with subsection 37 (3) or research that a research ethics board has approved under section 44 or that meets the criteria set out in clauses 44 (10) (a) to (c), except if the person is prohibited by law from disclosing the information to the custodian;

(e) the custodian is a prescribed entity mentioned in subsection 45 (1) and the custodian is collecting personal health information from a person who is not a health information custodian for the purpose of that subsection;

(f) the Commissioner authorizes that the collection be made in a manner other than directly from the individual;

(g) the custodian collects the information from a person who is permitted or required by law or by a treaty, agreement or arrangement made under an Act or an Act of Canada to disclose it to the custodian; or

(h) subject to the requirements and restrictions, if any, that are prescribed, the health information custodian is permitted or required by law or by a treaty, agreement or arrangement made under an Act or an Act of Canada to collect the information indirectly. 2004, c. 3, Sched. A, s. 36 (1); 2007, c. 10, Sched. H, s. 11.

Direct collection without consent

(2) A health information custodian may collect personal health information about an individual directly from the individual, even if the individual is incapable of consenting, if the collection is reasonably necessary for the provision of health care and it is not reasonably possible to obtain consent in a timely manner. 2004, c. 3, Sched. A, s. 36 (2).

37 (1) A health information custodian may use personal health information about an individual,

(a) for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose, but not if the information was collected with the consent of the individual or under clause 36 (1) (b) and the individual expressly instructs otherwise;

(b) for a purpose for which this Act, another Act or an Act of Canada permits or requires a person to disclose it to the custodian;

(c) for planning or delivering programs or services that the custodian provides or that the custodian funds in whole or in part, allocating resources to any of them, evaluating or monitoring any of them or detecting, monitoring or preventing fraud or any unauthorized receipt of services or benefits related to any of them;

(d) for the purpose of risk management, error management or for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the custodian;

(e) for educating agents to provide health care;

(f) in a manner consistent with Part II, for the purpose of disposing of the information or modifying the information in order to conceal the identity of the individual;

(g) for the purpose of seeking the individual’s consent, or the consent of the individual’s substitute decision-maker, when the personal health information used by the custodian for this purpose is limited to the name and contact information of the individual and the name and contact information of the substitute decision-maker, where applicable;

(h) for the purpose of a proceeding or contemplated proceeding in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding;

(i) for the purpose of obtaining payment or processing, monitoring, verifying or reimbursing claims for payment for the provision of health care or related goods and services;

(j) for research conducted by the custodian, subject to subsection (3), unless another clause of this subsection applies; or

(k) subject to the requirements and restrictions, if any, that are prescribed, if permitted or required by law or by a treaty, agreement or arrangement made under an Act or an Act of Canada. 2004, c. 3, Sched. A, s. 37 (1); 2007, c. 10, Sched. H, s. 12.

Agents

(2) If subsection (1) authorizes a health information custodian to use personal health information for a purpose, the custodian may provide the information to an agent of the custodian who may use it for that purpose on behalf of the custodian. 2004, c. 3, Sched. A, s. 37 (2).

Research

(3) Under clause (1) (j), a health information custodian may use personal health information about an individual only if the custodian prepares a research plan and has a research ethics board approve it and for that purpose subsections 44 (2) to (4) and clauses 44 (6) (a) to (f) apply to the use as if it were a disclosure. 2004, c. 3, Sched. A, s. 37 (3).

Mixed uses

(4) If a research plan mentioned in subsection (3) proposes that a health information custodian that is an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act or that is acting as part of such an institution use personal health information, together with personal information within the meaning of those two Acts that is not personal health information, those two Acts do not apply to the use and this section applies to the use. 2004, c. 3, Sched. A, s. 37 (4).

(a) to a health information custodian described in paragraph 1, 2 or 4 of the definition of “health information custodian” in subsection 3 (1), if the disclosure is reasonably necessary for the provision of health care and it is not reasonably possible to obtain the individual’s consent in a timely manner, but not if the individual has expressly instructed the custodian not to make the disclosure;

(b) in order for the Minister, another health information custodian or a local health integration network to determine or provide funding or payment to the custodian for the provision of health care; or

(2) If a health information custodian discloses personal health information about an individual under clause (1) (a) and if an instruction of the individual made under that clause prevents the custodian from disclosing all the personal health information that the custodian considers reasonably necessary to disclose for the provision of health care or assisting in the provision of health care to the individual, the custodian shall notify the person to whom it makes the disclosure of that fact. 2004, c. 3, Sched. A, s. 38 (2).

Facility that provides health care

(3) A health information custodian that is a facility that provides health care may disclose to a person the following personal health information relating to an individual who is a patient or a resident in the facility if the custodian offers the individual the option, at the first reasonable opportunity after admission to the facility, to object to such disclosures and if the individual does not do so:

1. The fact that the individual is a patient or resident in the facility.

2. The individual’s general health status described as critical, poor, fair, stable or satisfactory, or in similar terms.

(4) A health information custodian may disclose personal health information about an individual who is deceased, or is reasonably suspected to be deceased,

(a) for the purpose of identifying the individual;

(b) for the purpose of informing any person whom it is reasonable to inform in the circumstances of,

(i) the fact that the individual is deceased or reasonably suspected to be deceased, and

(ii) the circumstances of death, where appropriate; or

(c) to the spouse, partner, sibling or child of the individual if the recipients of the information reasonably require the information to make decisions about their own health care or their children’s health care. 2004, c. 3, Sched. A, s. 38 (4).

39(1) Subject to the requirements and restrictions, if any, that are prescribed, a health information custodian may disclose personal health information about an individual,

(a) for the purpose of determining or verifying the eligibility of the individual to receive health care or related goods, services or benefits provided under an Act of Ontario or Canada and funded in whole or in part by the Government of Ontario or Canada, by a local health integration network or by a municipality, or to receive coverage with respect to such health care, goods, services or benefits;

(b) to a person conducting an audit or reviewing an application for accreditation or reviewing an accreditation, if the audit or review relates to services provided by the custodian and the person does not remove any records of personal health information from the custodian’s premises;

(c) to a prescribed person who compiles or maintains a registry of personal health information for purposes of facilitating or improving the provision of health care or that relates to the storage or donation of body parts or bodily substances; or

(d) where,

(i) the disclosure is to another custodian described in paragraph 1, 2 or 4 of the definition of “health information custodian” in subsection 3 (1),

(ii) the individual to whom the information relates is one to whom both the disclosing custodian and recipient custodian provide health care or assist in the provision of health care or have previously provided health care or assisted in the provision of health care, and

(2) A health information custodian may disclose personal health information about an individual,

(a) to the Chief Medical Officer of Health or a medical officer of health within the meaning of the Health Protection and Promotion Act if the disclosure is made for a purpose of that Act;

(a.1) to the Ontario Agency for Health Protection and Promotion if the disclosure is made for a purpose of the
Ontario Agency for Health Protection and Promotion Act, 2007; or

(b) to a public health authority that is similar to the persons described in clause (a) and that is established under the laws of Canada, another province or a territory of Canada or other jurisdiction, if the disclosure is made for a purpose that is substantially similar to a purpose of the Health Protection and Promotion Act. 2004, c. 3, Sched. A, s. 39 (2); 2007, c. 10, Sched. K, s. 32.

Removal allowed

(3) Despite clause (1) (b), the person described in that clause may remove records of personal health information from the custodian’s premises if,

(a) the removal is authorized by or under an Act of Ontario or Canada; or

(b) an agreement between the custodian and the person authorizes the removal and provides that the records will be held in a secure and confidential manner and will be returned when the audit or review is completed. 2004, c. 3, Sched. A, s. 39 (3).

Authorization to collect

(4) A person who is not a health information custodian is authorized to collect the personal health information that a health information custodian may disclose to the person under clause (1) (c). 2004, c. 3, Sched. A, s. 39 (4).

40(1) A health information custodian may disclose personal health information about an individual if the custodian believes on reasonable grounds that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons. 2004, c. 3, Sched. A, s. 40 (1).

Disclosures related to care or custody

(2) A health information custodian may disclose personal health information about an individual to the head of a penal or other custodial institution in which the individual is being lawfully detained or to the officer in charge of a psychiatric facility within the meaning of the Mental Health Act in which the individual is being lawfully detained for the purposes described in subsection (3). 2004, c. 3, Sched. A, s. 40 (2).

Same

(3) A health information custodian may disclose personal health information about an individual under subsection (2) to assist an institution or a facility in making a decision concerning,

(a) arrangements for the provision of health care to the individual; or

Note: On a day to be named by proclamation of the Lieutenant Governor, clause 40 (3) (b) of the Act is amended by striking out “the Mental Health Act, the Ministry of Correctional Services Act” and substituting “the Correctional Services and Reintegration Act, 2018, the Mental Health Act”. (See: 2018, c. 6, Sched. 3, s. 11)

41(1) A health information custodian may disclose personal health information about an individual,

(a) subject to the requirements and restrictions, if any, that are prescribed, for the purpose of a proceeding or contemplated proceeding in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding;

(b) to a proposed litigation guardian or legal representative of the individual for the purpose of having the person appointed as such;

(c) to a litigation guardian or legal representative who is authorized under the Rules of Civil Procedure, or by a court order, to commence, defend or continue a proceeding on behalf of the individual or to represent the individual in a proceeding; or

(d) for the purpose of complying with,

(i) a summons, order or similar requirement issued in a proceeding by a person having jurisdiction to compel the production of information, or

(ii) a procedural rule that relates to the production of information in a proceeding. 2004, c. 3, Sched. A, s. 41 (1).

Disclosure by agent or former agent

(2) An agent or former agent who receives personal health information under subsection (1) or under subsection 37 (2) for purposes of a proceeding or contemplated proceeding may disclose the information to the agent’s or former agent’s professional advisor for the purpose of providing advice or representation to the agent or former agent, if the advisor is under a professional duty of confidentiality. 2004, c. 3, Sched. A, s. 41 (2).

Disclosure to successor

42(1) A health information custodian may disclose personal health information about an individual to a potential successor of the custodian, for the purpose of allowing the potential successor to assess and evaluate the operations of the custodian, if the potential successor first enters into an agreement with the custodian to keep the information confidential and secure and not to retain any of the information longer than is necessary for the purpose of the assessment or evaluation. 2004, c. 3, Sched. A, s. 42 (1).

Transfer to successor

(2) A health information custodian may transfer records of personal health information about an individual to the custodian’s successor if the custodian makes reasonable efforts to give notice to the individual before transferring the records or, if that is not reasonably possible, as soon as possible after transferring the records. 2004, c. 3, Sched. A, s. 42 (2).

Transfer to archives

(3) Subject to the agreement of the person who is to receive the transfer, a health information custodian may transfer records of personal health information about an individual to,

(a) the Archives of Ontario; or

(b) in the prescribed circumstances, a prescribed person whose functions include the collection and preservation of records of historical or archival importance, if the disclosure is made for the purpose of that function. 2004, c. 3, Sched. A, s. 42 (3).

(a) for the purpose of determining, assessing or confirming capacity under the Health Care Consent Act, 1996, the Substitute Decisions Act, 1992 or this Act;

(b) to a College within the meaning of the Regulated Health Professions Act, 1991 for the purpose of the administration or enforcement of the Drug and Pharmacies Regulation Act, the Regulated Health Professions Act, 1991 or an Act named in Schedule 1 to that Act;

(c) to the Board of Regents continued under the Drugless Practitioners Act for the purpose of the administration or enforcement of that Act;

(d) to the Ontario College of Social Workers and Social Service Workers for the purpose of the administration or enforcement of the Social Work and Social Service Work Act, 1998;

(e) to the Public Guardian and Trustee, the Children’s Lawyer, a children’s aid society, a residential placement advisory committee established under subsection 63 (1) of the Child, Youth and Family Services Act, 2017 or a designated custodian under section 223 of that Act so that they can carry out their statutory functions;

(f) in the circumstances described in clause 42 (1) (c), (g) or (n) of the Freedom of Information and Protection of Privacy Act or clause 32 (c), (g) or (l) of the Municipal Freedom of Information and Protection of Privacy Act, if the custodian is an institution within the meaning of whichever of those Acts applies, or is acting as part of such an institution;

(g) subject to the requirements and restrictions, if any, that are prescribed, to a person carrying out an inspection, investigation or similar procedure that is authorized by a warrant or by or under this Act or any other Act of Ontario or an Act of Canada for the purpose of complying with the warrant or for the purpose of facilitating the inspection, investigation or similar procedure;

(2) For the purposes of clause (1) (h) and subject to the regulations made under this Act, if an Act, an Act of Canada or a regulation made under any of those Acts specifically provides that information is exempt, under stated circumstances, from a confidentiality or secrecy requirement, that provision shall be deemed to permit the disclosure of the information in the stated circumstances. 2004, c. 3, Sched. A, s. 43 (2).

(3) When deciding whether to approve a research plan that a researcher submits to it, a research ethics board shall consider the matters that it considers relevant, including,

(a) whether the objectives of the research can reasonably be accomplished without using the personal health information that is to be disclosed;

(b) whether, at the time the research is conducted, adequate safeguards will be in place to protect the privacy of the individuals whose personal health information is being disclosed and to preserve the confidentiality of the information;

(c) the public interest in conducting the research and the public interest in protecting the privacy of the individuals whose personal health information is being disclosed; and

(4) After reviewing a research plan that a researcher has submitted to it, the research ethics board shall provide to the researcher a decision in writing, with reasons, setting out whether the board approves the plan, and whether the approval is subject to any conditions, which must be specified in the decision. 2004, c. 3, Sched. A, s. 44 (4).

Agreement respecting disclosure

(5) Before a health information custodian discloses personal health information to a researcher under subsection (1), the researcher shall enter into an agreement with the custodian in which the researcher agrees to comply with the conditions and restrictions, if any, that the custodian imposes relating to the use, security, disclosure, return or disposal of the information. 2004, c. 3, Sched. A, s. 44 (5).

Compliance by researcher

(6) A researcher who receives personal health information about an individual from a health information custodian under subsection (1) shall,

(a) comply with the conditions, if any, specified by the research ethics board in respect of the research plan;

(b) use the information only for the purposes set out in the research plan as approved by the research ethics board;

(c) not publish the information in a form that could reasonably enable a person to ascertain the identity of the individual;

(d) despite subsection 49 (1), not disclose the information except as required by law and subject to the exceptions and additional requirements, if any, that are prescribed;

(e) not make contact or attempt to make contact with the individual, directly or indirectly, unless the custodian first obtains the individual’s consent to being contacted;

(f) notify the custodian immediately in writing if the researcher becomes aware of any breach of this subsection or the agreement described in subsection (5); and

(7) If a researcher submits a research plan under subsection (1) that proposes that a health information custodian that is an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act or that is acting as part of such an institution disclose to the researcher personal health information, together with personal information within the meaning of those two Acts that is not personal health information, those two Acts do not apply to the disclosure and this section applies to the disclosure. 2004, c. 3, Sched. A, s. 44 (7).

Transition

(8) Despite subsection (7), nothing in this section prevents a health information custodian that is an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act or that is acting as part of such an institution from disclosing to a researcher personal health information, that is personal information within the meaning of those two Acts, if, before November 1, 2004, the researcher entered into an agreement with the custodian under subclause 21 (1) (e) (iii) of the Freedom of Information and Protection of Privacy Act or subclause 14 (1) (e) (iii) of the Municipal Freedom of Information and Protection of Privacy Act and the disclosure is within the scope of the agreement. 2007, c. 10, Sched. H, s. 16.

Disclosure under other Acts

(9) Despite any other Act that permits a health information custodian to disclose personal health information to a researcher for the purpose of conducting research, this section applies to the disclosure as if it were a disclosure for research under this section unless the regulations made under this Act provide otherwise. 2004, c. 3, Sched. A, s. 44 (9).

Research approved outside Ontario

(10) Subject to subsection (11), a health information custodian may disclose personal health information to a researcher or may use the information to conduct research if,

(a) the research involves the use of personal health information originating wholly or in part outside Ontario;

(b) the research has received the prescribed approval from a body outside Ontario that has the function of approving research; and

(11) Subsections (1) to (4) and clauses (6) (a) and (b) do not apply to a disclosure or use made under subsection (10) and references in the rest of this section to subsection (1) shall be read as references to this subsection with respect to that disclosure or use. 2004, c. 3, Sched. A, s. 44 (11).

45 (1) A health information custodian may disclose to a prescribed entity personal health information for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services, if the entity meets the requirements under subsection (3). 2004, c. 3, Sched. A, s. 45 (1).

Exception

(2) Subsection (1) does not apply to,

(a) notes of personal health information about an individual that are recorded by a health information custodian and that document the contents of conversations during a private counselling session or a group, joint or family counselling session; or

(a) the entity has in place practices and procedures to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information; and

(b) the Commissioner has approved the practices and procedures, if the custodian makes the disclosure on or after the first anniversary of the day this section comes into force. 2004, c. 3, Sched. A, s. 45 (3).

Review by Commissioner

(4) The Commissioner shall review the practices and procedures of each prescribed entity every three years from the date of its approval and advise the health information custodian whether the entity continues to meet the requirements of subsection (3). 2004, c. 3, Sched. A, s. 45 (4).

Authorization to collect

(5) An entity that is not a health information custodian is authorized to collect the personal health information that a health information custodian may disclose to the entity under subsection (1). 2004, c. 3, Sched. A, s. 45 (5).

Use and disclosure

(6) Subject to the exceptions and additional requirements, if any, that are prescribed and despite subsection 49 (1), an entity that receives personal health information under subsection (1) shall not use the information except for the purposes for which it received the information and shall not disclose the information except as required by law. 2004, c. 3, Sched. A, s. 45 (6).

Monitoring health care payments

46 (1) A health information custodian shall, upon the request of the Minister, disclose to the Minister personal health information about an individual for the purpose of monitoring or verifying claims for payment for health care funded wholly or in part by the Ministry of Health and Long-Term Care or a local health integration network or for goods used for health care funded wholly or in part by the Ministry of Health and Long-Term Care or a local health integration network. 2006, c. 4, s. 51 (4).

Disclosure by Minister

(2) The Minister may disclose information collected under subsection (1) to any person for a purpose set out in that subsection if the disclosure is reasonably necessary for that purpose. 2004, c. 3, Sched. A, s. 46 (2).

“de-identify”, in relation to the personal health information of an individual, means to remove any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual, and “de-identification” has a corresponding meaning. 2004, c. 3, Sched. A, s. 47 (1).

Same

(2) Subject to the restrictions, if any, that are prescribed, a health information custodian shall, upon the request of the Minister, disclose personal health information to a health data institute that the Minister approves under subsection (9) for analysis with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services, if the requirements of this section are met. 2004, c. 3, Sched. A, s. 47 (2).

Form, manner and time of disclosure

(3) The Minister may specify the form and manner in which and the time at which the health information custodian is required to disclose the personal health information under subsection (2). 2004, c. 3, Sched. A, s. 47 (3).

Requirements for Minister

(4) Before requesting the disclosure of personal health information under subsection (2), the Minister shall submit a proposal to the Commissioner and, in accordance with this section, allow the Commissioner to review and comment on the proposal. 2004, c. 3, Sched. A, s. 47 (4).

Contents of proposal

(5) The proposal must identify a health data institute to which the personal health information would be disclosed under this section and must set out the prescribed matters. 2004, c. 3, Sched. A, s. 47 (5).

Review by Commissioner

(6) Within 30 days after the Commissioner receives the proposal, the Commissioner shall review the proposal and may comment in writing on the proposal. 2004, c. 3, Sched. A, s. 47 (6).

Consideration by Commissioner

(7) In reviewing the proposal, the Commissioner shall consider the public interest in conducting the analysis and theprivacy interest of the individuals to whom the personal health information relates in the circumstances. 2004, c. 3, Sched. A, s. 47 (7).

Consideration by Minister

(8) The Minister shall consider the comments, if any, made by the Commissioner within the time specified in subsection (6), and may amend the proposal if the Minister considers it appropriate. 2004, c. 3, Sched. A, s. 47 (8).

Approval of health data institute

(9) The Minister may approve a health data institute for the purposes of a disclosure made under this section if,

(a) the corporate objects of the institute include performing data analysis of personal health information, linking the information with other information and de-identifying the information for the Minister; and

(b) the institute has in place practices and procedures to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information and the Commissioner has approved those practices and procedures. 2004, c. 3, Sched. A, s. 47 (9).

Review by Commissioner

(10) The Commissioner shall review the practices and procedures of each health data institute every three years from the date of its approval and advise the Minister whether the institute continues to meet the requirements of clauses (9) (a) and (b). 2004, c. 3, Sched. A, s. 47 (10).

Withdrawal of approval

(11) The Minister shall withdraw the approval of a health data institute that ceases to meet the requirements of clauses (9) (a) and (b) or to carry out its objects mentioned in clause (9) (a), unless the Minister requires the institute to take immediate steps to satisfy the Minister that it will meet the requirements or that it will carry out the objects. 2004, c. 3, Sched. A, s. 47 (11).

Effect of withdrawal of approval

(12) If the Minister withdraws the approval of a health data institute, the institute shall,

(a) make no further use or disclosure of any personal health information that a health information custodian has disclosed to it under subsection (2) or any information derived from that personal health information; and

(b) comply with the written directions of the Minister that the Commissioner has approved in writing with respect to information described in clause (a). 2004, c. 3, Sched. A, s. 47 (12).

If institute ceases to exist

(13) If a health data institute ceases to exist, the persons holding the personal health information that the institute received under subsection (2) and held when it ceased to exist shall comply with the written directions of the Minister that the Commissioner has approved in writing with respect to the information. 2004, c. 3, Sched. A, s. 47 (13).

Disclosure by Minister

(14) The Minister may disclose to the health data institute that receives personal health information under subsection (2) other personal health information for the purposes of the analysis and linking that the Minister requires if the disclosure is included in the Minister’s proposal, as amended under subsection (8), if applicable. 2004, c. 3, Sched. A, s. 47 (14).

(a) follow the practices and procedures described in clause (9) (b) that the Commissioner has approved;

(b) perform the analysis and linking with other data that the Minister requires;

(c) de-identify the information;

(d) provide the results of the analysis and linking, using only de-identified information, to the Minister or to the persons that the Minister approves;

(e) not disclose the information to the Minister or to the persons that the Minister approves except in a de-identified form; and

(f) subject to clauses (d) and (e), not disclose to any persons the information, even in a de-identified form, or any information derived from the information. 2004, c. 3, Sched. A, s. 47 (15).

Transition

(16) If the Minister has lawfully required the disclosure of personal health information for a purpose described in subsection (2) in the 18 months before this section comes into force, this section does not apply with respect to a disclosure the Minister requires for a substantially similar purpose after this section comes into force until the first anniversary of the coming into force of this section. 2004, c. 3, Sched. A, s. 47 (16).

Notification

(17) If the Minister requires a disclosure for a substantially similar purpose under subsection (16) after this section comes into force, the Minister shall notify the Commissioner within the later of the time of requiring the disclosure and 90 days after this section comes into force. 2004, c. 3, Sched. A, s. 47 (17).

No hearing required

(18) The Minister is not required to hold a hearing or to afford to any person an opportunity for a hearing before making a decision under this section. 2004, c. 3, Sched. A, s. 47 (18).

Disclosure with Commissioner’s approval

48 (1) A health data institute to which a health information custodian has disclosed personal health information under section 47, shall, upon the request of the Minister and in accordance with the Commissioner’s approval given under this section, disclose the information to the Minister or another person approved by the Minister if the Minister is of the opinion that it is in the public interest to request the disclosure and the requirements of this section have been met. 2004, c. 3, Sched. A, s. 48 (1).

(a) notes of personal health information about an individual that are recorded by a health information custodian and that document the contents of conversations during a private counselling session or a group, joint or family counselling session; or

(b) information that is prescribed. 2004, c. 3, Sched. A, s. 48 (2).

Commissioner’s approval required

(3) The Minister shall not request the disclosure of personal health information under subsection (1) unless the Minister has submitted to the Commissioner a proposal for the disclosure and the Commissioner has approved the proposal. 2004, c. 3, Sched. A, s. 48 (3).

Contents of proposal

(4) The proposal must include,

(a) a statement as to why the disclosure is reasonably required in the public interest and why the disclosure under section 47 was insufficient to meet the public interest;

(b) the extent of the identifiers that the Minister proposes be part of the information disclosed and a statement as to why the use of those identifiers is reasonably required for the purpose of the disclosure;

(c) a copy of all proposals and comments previously made or received under section 47 in respect of the information, if any; and

(5) If the Commissioner approves the proposal, the Commissioner may specify terms, conditions or limitations for the disclosure. 2004, c. 3, Sched. A, s. 48 (5).

Restrictions on recipients

49 (1) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a health information custodian and to whom a health information custodian discloses personal health information, shall not use or disclose the information for any purpose other than,

(a) the purpose for which the custodian was authorized to disclose the information under this Act; or

(2) Subject to the exceptions and additional requirements, if any, that are prescribed, a person who is not a health information custodian, and to whom a health information custodian discloses personal health information, shall not use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, as the case may be, unless the use or disclosure is required by law. 2004, c. 3, Sched. A, s. 49 (2).

Employee or agent information

(3) Except as permitted or required by law and subject to the exceptions and additional requirements, if any, that are prescribed, if a health information custodian discloses information to another health information custodian and the information is identifying information of the type described in subsection 4 (4) in the custody or under the control of the receiving custodian, the receiving custodian shall not,

(a) use or disclose the information for any purpose other than,

(i) the purpose for which the disclosing custodian was authorized to disclose the information under this Act, or

(ii) the purpose of carrying out a statutory or legal duty; or

(b) use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, as the case may be. 2004, c. 3, Sched. A, s. 49 (3).

Same

(4) The restrictions set out in clauses (3) (a) and (b) apply to a health information custodian that receives the identifying information described in subsection (3) even if the custodian receives the information before the day that subsection comes into force. 2004, c. 3, Sched. A, s. 49 (4).

Freedom of information legislation

(5) Except as prescribed, subsections (1) to (4) do not apply to an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act
that is not a health information custodian or to a person employed by or acting for such an institution when the person is acting in that capacity. 2007, c. 10, Sched. H, s. 17.

Same

(6) Where this Act permits or requires a health information custodian to disclose personal health information to an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act that is not a health information custodian, the institution may collect the information from the custodian. 2007, c. 10, Sched. H, s. 17.

50(1) A health information custodian may disclose personal health information about an individual collected in Ontario to a person outside Ontario only if,

(a) the individual consents to the disclosure;

(b) this Act permits the disclosure;

(c) the person receiving the information performs functions comparable to the functions performed by a person to whom this Act would permit the custodian to disclose the information in Ontario under subsection 40 (2) or clause 43 (1) (b), (c), (d) or (e);

(d) the following conditions are met:

(i) the custodian is a prescribed entity mentioned in subsection 45 (1) and is prescribed for the purpose of this clause,

(ii) the disclosure is for the purpose of health planning or health administration,

(iii) the information relates to health care provided in Ontario to a person who is resident of another province or territory of Canada, and

(iv) the disclosure is made to the government of that province or territory;

(e) the disclosure is reasonably necessary for the provision of health care to the individual, but not if the individual has expressly instructed the custodian not to make the disclosure; or

(f) the disclosure is reasonably necessary for the administration of payments in connection with the provision of health care to the individual or for contractual or legal requirements in that connection. 2004, c. 3, Sched. A, s. 50 (1).

Notice of instruction

(2) If a health information custodian discloses personal health information about an individual under clause (1) (e) and if an instruction of the individual made under that clause prevents the custodian from disclosing all the personal health information that the custodian considers reasonably necessary to disclose for the provision of health care to the individual, the custodian shall notify the person to whom it makes the disclosure of that fact. 2004, c. 3, Sched. A, s. 50 (2).

PART V ACCESS TO Records of PERSONAL HEALTH INFORMATION AND CORRECTION

Access

Application of Part

51 (1) This Part does not apply to a record that contains,

(a) quality of care information;

(b) personal health information collected or created for the purpose of complying with the requirements of a quality assurance program within the meaning of the Health Professions Procedural Code that is Schedule 2 to the Regulated Health Professions Act, 1991;

(c) raw data from standardized psychological tests or assessments; or

(d) personal health information of the prescribed type in the custody or under the control of a prescribed class or classes of health information custodians. 2004, c. 3, Sched. A, s. 51 (1).

Severable record

(2) Despite subsection (1), this Part applies to that part of a record of personal health information that can reasonably be severed from the part of the record that contains the information described in clauses (1) (a) to (d). 2004, c. 3, Sched. A, s. 51 (2).

Health care practitioner acting for an institution

(3) This Part does not apply to a record in the custody or under the control of a health care practitioner who is employed by or acting for an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act
that is not a health information custodian if the individual has the right to request access to the record under one of those Acts. 2007, c. 10, Sched. H, s. 18.

Permission to disclose

(4) When subsection (3) applies to a record, the health care practitioner may disclose the record to the institution to enable the institution to process the individual’s request under the Freedom of Information and Protection of Privacy Actor the Municipal Freedom of Information and Protection of Privacy Act, as the case may be, for access to the record. 2007, c. 10, Sched. H, s. 18.

Note: On a day to be named by proclamation of the Lieutenant Governor, section 51 of the Act is amended by adding the following subsections: (See: 2016, c. 6, Sched. 1, s. 1 (10))

Application to prescribed organization

(5) Subject to any exceptions and additional requirements, if any, that are prescribed, this Part applies to the prescribed organization as if it were a health information custodian with respect to the following records and as if the prescribed organization has custody or control of the records:

1. A record of personal health information that is accessible to health information custodians by means of the electronic health record developed and maintained by the prescribed organization.

(6) Subject to any exceptions and additional requirements, if any, that are prescribed, this Part applies to a record in the custody or control of a health information custodian respecting all instances where all or part of the personal health information of the individual that is accessible by means of the electronic health record developed and maintained by the prescribed organization is viewed, handled or otherwise dealt with by the custodian. 2016, c. 6, Sched. 1, s. 1 (10).

52 (1) Subject to this Part, an individual has a right of access to a record of personal health information about the individual that is in the custody or under the control of a health information custodian unless,

(a) the record or the information in the record is subject to a legal privilege that restricts disclosure of the record or the information, as the case may be, to the individual;

(b) another Act, an Act of Canada or a court order prohibits disclosure to the individual of the record or the information in the record in the circumstances;

(c) the information in the record was collected or created primarily in anticipation of or for use in a proceeding, and the proceeding, together with all appeals or processes resulting from it, have not been concluded;

(d) the following conditions are met:

(i) the information was collected or created in the course of an inspection, investigation or similar procedure authorized by law, or undertaken for the purpose of the detection, monitoring or prevention of a person’s receiving or attempting to receive a service or benefit, to which the person is not entitled under an Act or a program operated by the Minister, or a payment for such a service or benefit, and

(ii) the inspection, investigation, or similar procedure, together with all proceedings, appeals or processes resulting from them, have not been concluded;

(e) granting the access could reasonably be expected to,

(i) result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person,

(ii) lead to the identification of a person who was required by law to provide information in the record to the custodian, or

(iii) lead to the identification of a person who provided information in the record to the custodian explicitly or implicitly in confidence if the custodian considers it appropriate in the circumstances that the identity of the person be kept confidential; or

(f) the following conditions are met:

(i) the custodian is an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act or is acting as part of such an institution, and

(ii) the custodian would refuse to grant access to the part of the record,

(A) under clause 49 (a), (c) or (e) of the Freedom of Information and Protection of Privacy Act, if the request were made under that Act and that Act applied to the record, or

(B) under clause 38 (a) or (c) of the Municipal Freedom of Information and Protection of Privacy Act, if the request were made under that Act and that Act applied to the record. 2004, c. 3, Sched. A, s. 52 (1); 2007, c. 10, Sched. H, s. 19; 2009, c. 33, Sched. 18, s. 25 (5).

Severable record

(2) Despite subsection (1), an individual has a right of access to that part of a record of personal health information about the individual that can reasonably be severed from the part of the record to which the individual does not have a right of access as a result of clauses (1) (a) to (f). 2004, c. 3, Sched. A, s. 52 (2).

Same

(3) Despite subsection (1), if a record is not a record dedicated primarily to personal health information about the individual requesting access, the individual has a right of access only to the portion of personal health information about the individual in the record that can reasonably be severed from the record for the purpose of providing access. 2004, c. 3, Sched. A, s. 52 (3).

Individual’s plan of service

(4) Despite subsection (1), a health information custodian shall not refuse to grant the individual access to his or her plan of service within the meaning of the Home Care and Community Services Act, 1994. 2004, c. 3, Sched. A, s. 52 (4); 2007, c. 8, s. 224 (7).

Consultation regarding harm

(5) Before deciding to refuse to grant an individual access to a record of personal health information under subclause (1) (e) (i), a health information custodian may consult with a member of the College of Physicians and Surgeons of Ontario or a member of the College of Psychologists of Ontario. 2004, c. 3, Sched. A, s. 52 (5).

Informal access

(6) Nothing in this Act prevents a health information custodian from,

(a) granting an individual access to a record of personal health information, to which the individual has a right of access, if the individual makes an oral request for access or does not make any request for access under section 53; or

(b) with respect to a record of personal health information to which an individual has a right of access, communicating with the individual or his or her substitute decision-maker who is authorized to consent on behalf of the individual to the collection, use or disclosure of personal health information about the individual. 2004, c. 3, Sched. A, s. 52 (6).

Duty of health information custodian

(7) Nothing in this Part relieves a health information custodian from a legal duty to provide, in a manner that is not inconsistent with this Act, personal health information as expeditiously as is necessary for the provision of health care to the individual. 2004, c. 3, Sched. A, s. 52 (7).

53 (1) An individual may exercise a right of access to a record of personal health information by making a written request for access to the health information custodian that has custody or control of the information. 2004, c. 3, Sched. A, s. 53 (1).

Detail in request

(2) The request must contain sufficient detail to enable the health information custodian to identify and locate the record with reasonable efforts. 2004, c. 3, Sched. A, s. 53 (2).

Assistance

(3) If the request does not contain sufficient detail to enable the health information custodian to identify and locate the record with reasonable efforts, the custodian shall offer assistance to the person requesting access in reformulating the request to comply with subsection (2). 2004, c. 3, Sched. A, s. 53 (3).

Response of health information custodian

54 (1) A health information custodian that receives a request from an individual for access to a record of personal health information shall,

(a) make the record available to the individual for examination and, at the request of the individual, provide a copy of the record to the individual and if reasonably practical, an explanation of any term, code or abbreviation used in the record;

(b) give a written notice to the individual stating that, after a reasonable search, the custodian has concluded that the record does not exist, cannot be found, or is not a record to which this Part applies, if that is the case;

(c) if the custodian is entitled to refuse the request, in whole or in part, under any provision of this Part other than clause 52 (1) (c), (d) or (e), give a written notice to the individual stating that the custodian is refusing the request, in whole or in part, providing a reason for the refusal and stating that the individual is entitled to make a complaint about the refusal to the Commissioner under Part VI; or

(d) subject to subsection (1.1), if the custodian is entitled to refuse the request, in whole or in part, under clause 52 (1) (c), (d) or (e), give a written notice to the individual stating that the individual is entitled to make a complaint about the refusal to the Commissioner under Part VI, and that the custodian is refusing,

(i) the request, in whole or in part, while citing which of clauses 52 (1) (c), (d) and (e) apply,

(ii) the request, in whole or in part, under one or more of clauses 52 (1) (c), (d) and (e), while not citing which of those provisions apply, or

(1.1) A custodian acting under clause (1) (d) shall not act under subclause (1) (d) (i) where doing so would reasonably be expected in the circumstances known to the person making the decision on behalf of the custodian to reveal to the individual, directly or indirectly, information to which the individual does not have a right of access. 2007, c. 10, Sched. H, s. 20 (3).

Time for response

(2) Subject to subsection (3), the health information custodian shall give the response required by clause (1) (a), (b), (c) or (d) as soon as possible in the circumstances but no later than 30 days after receiving the request. 2004, c. 3, Sched. A, s. 54 (2).

Extension of time for response

(3) Within 30 days after receiving the request for access, the health information custodian mayextend the time limit set out in subsection (2) for a further period of time of not more than 30 days if,

(a) meeting the time limit would unreasonably interfere with the operations of the custodian because the information consists of numerous pieces of information or locating the information would necessitate a lengthy search; or

(b) the time required to undertake the consultations necessary to reply to the request within 30 days after receiving it would make it not reasonably practical to reply within that time. 2004, c. 3, Sched. A, s. 54 (3).

Notice of extension

(4) Upon extending the time limit under subsection (3), the health information custodian shall give the individual written notice of the extension setting out the length of the extension and the reason for the extension. 2004, c. 3, Sched. A, s. 54 (4).

Expedited access

(5) Despite subsection (2), the health information custodian shall give the response required by clause (1) (a), (b), (c) or (d) within the time period that the individual specifies if,

(a) the individual provides the custodian with evidence satisfactory to the custodian, acting on a reasonable basis, that the individual requires access to the requested record of personal health information on an urgent basis within that time period; and

(b) the custodian is reasonably able to give the required response within that time period. 2004, c. 3, Sched. A, s. 54 (5).

Frivolous or vexatious requests

(6) A health information custodian that believes on reasonable grounds that a request for access to a record of personal health information is frivolous or vexatious or is made in bad faith may refuse to grant the individual access to the requested record. 2004, c. 3, Sched. A, s. 54 (6).

Effect of non-compliance

(7) If the health information custodian does not respond to the request within the time limit or before the extension, if any, expires, the custodian shall be deemed to have refused the individual’s request for access. 2004, c. 3, Sched. A, s. 54 (7).

Right to complain

(8) If the health information custodian refuses or is deemed to have refused the request, in whole or in part,

(a) the individual is entitled to make a complaint about the refusal to the Commissioner under Part VI; and

(b) in the complaint, the burden of proof in respect of the refusal lies on the health information custodian. 2004, c. 3, Sched. A, s. 54 (8).

Identity of individual

(9) A health information custodian shall not make a record of personal health information or a part of it available to an individual under this Part or provide a copy of it to an individual under clause (1) (a) without first taking reasonable steps to be satisfied as to the individual’s identity. 2004, c. 3, Sched. A, s. 54 (9).

Fee for access

(10) A health information custodian that makes a record of personal health information or a part of it available to an individual under this Part or provides a copy of it to an individual under clause (1) (a) may charge the individual a fee for that purpose if the custodian first gives the individual an estimate of the fee. 2004, c. 3, Sched. A, s. 54 (10).

Amount of fee

(11) The amount of the fee shall not exceed the prescribed amount or the amount of reasonable cost recovery, if no amount is prescribed. 2004, c. 3, Sched. A, s. 54 (11).

Waiver of fee

(12) A health information custodian mentioned in subsection (10) may waive the payment of all or any part of the fee that an individual is required to pay under that subsection if, in the custodian’s opinion, it is fair and equitable to do so. 2004, c. 3, Sched. A, s. 54 (12).

55 (1) If a health information custodian has granted an individual access to a record of his or her personal health information and if the individual believes that the record is inaccurate or incomplete for the purposes for which the custodian has collected, uses or has used the information, the individual may request in writing that the custodian correct the record. 2004, c. 3, Sched. A, s. 55 (1); 2007, c. 10, Sched. H, s. 21.

Informal request

(2) If the individual makes an oral request that the health information custodian correct the record, nothing in this Part prevents the custodian from making the requested correction. 2004, c. 3, Sched. A, s. 55 (2).

Reply

(3) As soon as possible in the circumstances but no later than 30 days after receiving a request for a correction under subsection (1), the health information custodian shall, by written notice to the individual, grant or refuse the individual’s request or extend the deadline for replying for a period of not more than 30 days if,

(a) replying to the request within 30 days would unreasonably interfere with the activities of the custodian; or

(b) the time required to undertake the consultations necessary to reply to the request within 30 days would make it not reasonably practical to reply within that time. 2004, c. 3, Sched. A, s. 55 (3).

Extension of time for reply

(4) A health information custodian that extends the time limit under subsection (3) shall,

(a) give the individual written notice of the extension setting out the length of the extension and the reason for the extension; and

(b) grant or refuse the individual’s request as soon as possible in the circumstances but no later than the expiry of the time limit as extended. 2004, c. 3, Sched. A, s. 55 (4).

Deemed refusal

(5) A health information custodian that does not grant a request for a correction under subsection (1) within the time required shall be deemed to have refused the request. 2004, c. 3, Sched. A, s. 55 (5).

Frivolous or vexatious requests

(6) A health information custodian that believes on reasonable grounds that a request for a correction under subsection (1) is frivolous or vexatious or is made in bad faith may refuse to grant the request and, in that case, shall provide the individual with a notice that sets out the reasons for the refusal and that states that the individual is entitled to make a complaint about the refusal to the Commissioner under Part VI. 2004, c. 3, Sched. A, s. 55 (6).

Right to complain

(7) The individual is entitled to make a complaint to the Commissioner under Part VI about a refusal made under subsection (6). 2004, c. 3, Sched. A, s. 55 (7).

Duty to correct

(8) The health information custodian shall grant a request for a correction under subsection (1) if the individual demonstrates, to the satisfaction of the custodian, that the record is incomplete or inaccurate for the purposes for which the custodian uses the information and gives the custodian the information necessary to enable the custodian to correct the record. 2004, c. 3, Sched. A, s. 55 (8).

Exceptions

(9) Despite subsection (8), a health information custodian is not required to correct a record of personal health information if,

(a) it consists of a record that was not originally created by the custodian and the custodian does not have sufficient knowledge, expertise and authority to correct the record; or

(b) it consists of a professional opinion or observation that a custodian has made in good faith about the individual. 2004, c. 3, Sched. A, s. 55 (9).

Duties upon correction

(10) Upon granting a request for a correction under subsection (1), the health information custodian shall,

(a) make the requested correction by,

(i) recording the correct information in the record and,

(A) striking out the incorrect information in a manner that does not obliterate the record, or

(B) if that is not possible, labelling the information as incorrect, severing the incorrect information from the record, storing it separately from the record and maintaining a link in the record that enables a person to trace the incorrect information, or

(ii) if it is not possible to record the correct information in the record, ensuring that there is a practical system in place to inform a person who accesses the record that the information in the record is incorrect and to direct the person to the correct information;

(b) give notice to the individual of what it has done under clause (a);

(c) at the request of the individual, give written notice of the requested correction, to the extent reasonably possible, to the persons to whom the custodian has disclosed the information with respect to which the individual requested the correction of the record, except if the correction cannot reasonably be expected to have an effect on the ongoing provision of health care or other benefits to the individual. 2004, c. 3, Sched. A, s. 55 (10).

Notice of refusal

(11) A notice of refusal under subsection (3) or (4) must give the reasons for the refusal and inform the individual that the individual is entitled to,

(a) prepare a concise statement of disagreement that sets out the correction that the health information custodian has refused to make;

(b) require that the health information custodian attach the statement of disagreement as part of the records that it holds of the individual’s personal health information and disclose the statement of disagreement whenever the custodian discloses information to which the statement relates;

(c) require that the health information custodian make all reasonable efforts to disclose the statement of disagreement to any person who would have been notified under clause (10) (c) if the custodian had granted the requested correction; and

(d) make a complaint about the refusal to the Commissioner under Part VI. 2004, c. 3, Sched. A, s. 55 (11).

Rights of individual

(12) If a health information custodian, under subsection (3) or (4), refuses a request for a correction under subsection (1), in whole or in part, or is deemed to have refused the request, the individual is entitled to take the actions described in any of clauses (11) (a), (b), (c) and (d). 2004, c. 3, Sched. A, s. 55 (12).

Custodian’s duty

(13) If the individual takes an action described in clause (11) (b) or (c), the health information custodian shall comply with the requirements described in the applicable clause. 2004, c. 3, Sched. A, s. 55 (13).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following Part: (See: 2016, c. 6, Sched. 1, s. 1 (11))

Part v.1 Electronic Health Record

Interpretation

55.1 (1) In this Part,

“advisory committee” means the advisory committee established by the Minister under section 55.11; (“comité consultatif”)

“consent directive” means a directive under section 55.6 and includes a directive to modify or withdraw a directive that has already been made; (“directive en matière de consentement”)

“de-identify” and related expressions have the same meaning as in subsection 47 (1); (“anonymiser”)

“electronic health record” means the electronic systems that are developed and maintained by the prescribed organization for the purpose of enabling health information custodians to collect, use and disclose personal health information by means of the systems in accordance with this Part and the regulations made under this Part; (“dossier de santé électronique”)

(2) Despite anything in section 2, for the purposes of this Part, a health information custodian is considered to be collecting, using or disclosing personal health information in the following circumstances:

1. When a health information custodian views, handles or otherwise deals with all or part of an individual’s personal health information by means of the electronic health record and that information was provided to the prescribed organization by another health information custodian,

i. the health information custodian is considered to be collecting the personal health information if it is viewing, handling or otherwise dealing with the information for the first time, and

ii. the health information custodian is considered to be using the personal health information each time it subsequently views, handles or otherwise deals with the information.

2. Whenever a health information custodian views, handles or otherwise deals with all or part of an individual’s personal health information by means of the electronic health record and that information was provided to the prescribed organization by the custodian, the custodian is considered to be using the personal health information.

3. A health information custodian who provides personal health information to the prescribed organization is considered to be disclosing the information only when another health information custodian collects the information by means of the electronic health record. 2016, c. 6, Sched. 1, s. 1 (11).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (12))

Electronic health record

55.2 (1) The prescribed organization has the power and the duty to develop and maintain the electronic health record in accordance with this Part and the regulations made under this Part. 2016, c. 6, Sched. 1, s. 1 (12).

Functions of prescribed organization

(2) The prescribed organization shall perform the following functions:

2. Ensure the proper functioning of the electronic health record by servicing the electronic systems that support the electronic health record.

3. Ensure the accuracy and quality of the personal health information that is accessible by means of the electronic health record by conducting data quality assurance activities on the personal health information it receives from health information custodians.

4. Conduct analyses of the personal health information that is accessible by means of the electronic health record in order to provide alerts and reminders to health information custodians for their use in the provision of health care to individuals. 2016, c. 6, Sched. 1, s. 1 (12).

Other powers and duties

(3) In addition to carrying out the powers, duties and functions described in this Part and in Part V, the prescribed organization shall carry out any prescribed powers, duties or functions. 2016, c. 6, Sched. 1, s. 1 (12).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (13))

Requirements for electronic health record

55.3 The prescribed organization shall comply with the following requirements in developing and maintaining the electronic health record:

1. It shall take reasonable steps to limit the personal health information it receives to that which is reasonably necessary for developing and maintaining the electronic health record.

2. It shall not permit its employees or any other person acting on its behalf to view, handle or otherwise deal with the personal health information received from health information custodians, unless the employee or person acting on behalf of the prescribed organization agrees to comply with the restrictions that apply to the prescribed organization.

3. It shall make available to the public and to each health information custodian that provides personal health information to it,

i. a plain language description of the electronic health record, including a general description of the administrative, technical and physical safeguards in place to,

A. protect against theft, loss and unauthorized collection, use or disclosure of the personal health information that is accessible by means of the electronic health record,

B. protect the personal health information that is accessible by means of the electronic health record against unauthorized copying, modification or disposal, and

C. protect the integrity, security and confidentiality of the personal health information that is accessible by means of the electronic health record, and

ii. any directives, guidelines and policies of the prescribed organization that apply to the personal health information that is accessible by means of the electronic health record, to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information.

4. It shall,

i. keep an electronic record of all instances where all or part of the personal health information that is accessible by means of the electronic health record is viewed, handled or otherwise dealt with, and ensure that the record identifies the individual to whom the information relates, the type of information that is viewed, handled or otherwise dealt with, all persons who have viewed, handled or otherwise dealt with the information, and the date, time and location of the viewing, handling, or dealing with, and

ii. in the event that a health information custodian has requested that the prescribed organization transmit to the custodian personal health information that is accessible by means of the electronic health record, keep an electronic record of all instances where personal health information is transmitted to the custodian by means of the electronic health record, and ensure that the record identifies the individual to whom the information relates, the type of information that is transmitted, the custodian requesting the information, the date and time that the information was transmitted, and the location to which the information was transmitted.

5. It shall keep an electronic record of all instances where a consent directive is made, withdrawn or modified, and shall ensure that the record identifies the individual who made, withdrew or modified the consent directive, the instructions that the individual provided regarding the consent directive, the health information custodian, agent or other person to whom the directive is made, withdrawn or modified, and the date and time that the consent directive was made, withdrawn or modified.

6. It shall keep an electronic record of all instances where all or part of the personal health information that is accessible by means of the electronic health record is disclosed under section 55.7 and shall ensure that the record identifies the health information custodian that disclosed the information, the health information custodian that collected the information, any agent of the health information custodian who collected the information, the individual to whom the information relates, the type of information that was disclosed, the date and time of the disclosure and the purpose of the disclosure.

7. It shall audit and monitor the electronic records that it is required to keep under paragraphs 4, 5 and 6.

8. It shall, upon the request of the Commissioner provide to the Commissioner, for the purposes of Part VI, the electronic records kept under paragraphs 4, 5 and 6.

9. It shall, upon request of a health information custodian that requires the records to audit and monitor its compliance with this Act, provide to the custodian or an agent acting on the custodian’s behalf, the records kept under paragraphs 4, 5 and 6.

10. It shall perform, for each system that retrieves, processes or integrates personal health information that is accessible by means of the electronic health record, an assessment with respect to,

i. threats, vulnerabilities and risks to the security and integrity of the personal health information, and

ii. how each of those systems may affect the privacy of the individuals to whom the information relates.

11. It shall notify, at the first reasonable opportunity, each health information custodian that provided personal health information to the prescribed organization if the personal health information that the health information custodian provided is stolen or lost or if it is collected, used or disclosed without authority.

12. It shall,

i. make available to each health information custodian that provided personal health information to the prescribed organization a written copy of the results of the assessments carried out under paragraph 10 that relates to the personal health information the custodian provided, and

ii. make available to the public a summary of the results of the assessments carried out under paragraph 10.

13. It shall ensure that any third party it retains to assist in providing services for the purpose of developing or maintaining the electronic health record agrees to comply with the restrictions and conditions that are necessary to enable the prescribed organization to comply with all these requirements.

14. On and after the first anniversary of the day this section comes into force, it shall have in place and comply with practices and procedures,

i. that are for the purpose of protecting the privacy of the individuals whose personal health information it receives and for maintaining the confidentiality of the information, and

ii. that are approved by the Commissioner.

15. It shall notify the Commissioner, in writing, immediately after becoming aware that personal health information that is accessible by means of the electronic health record,

i. has been viewed, handled or otherwise dealt with by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations, or

ii. has been made available or released by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with this Act or its regulations.

16. It shall submit to the Commissioner, at least annually, a report in the form and manner specified by the Commissioner, and based on or containing any information, other than personal health information, that is kept in the electronic record required under paragraph 6 that the Commissioner may specify, respecting every instance in which personal health information was disclosed under section 55.7 since the time of the last report.

17. It shall comply with the practices and procedures prescribed in the regulations when managing consent directives.

18. It shall have in place and comply with practices and procedures that have been approved by the Minister for responding to or facilitating a response to a request made by an individual under Part V in respect of the individual’s record of personal health information that is accessible by means of the electronic health record.

19. It shall comply with such other requirements as may be prescribed in the regulations. 2016, c. 6, Sched. 1, s. 1 (13).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (14))

Minister’s directives

55.4 (1) The Minister may make directives to the prescribed organization with respect to the carrying out of its powers, duties and functions under this Part, and the prescribed organization shall comply with the directives of the Minister. 2016, c. 6, Sched. 1, s. 1 (14).

Consultation

(2) Before making a directive under subsection (1), the Minister shall,

(a) submit a draft of the directive to the Commissioner and the advisory committee for the purpose of reviewing and making recommendations on the draft directive; and

(b) consider the recommendations, if any, made by the Commissioner and the advisory committee and amend the directive if the Minister considers it appropriate to do so. 2016, c. 6, Sched. 1, s. 1 (14).

Timing

(3) The Minister shall allow the Commissioner and the advisory committee a period of at least 30 days for the purposes of review and recommendation under subsection (2), unless the Minister believes that there are urgent circumstances involving a significant risk to privacy or the confidentiality of personal health information, in which case the Minister may abridge the review period for both the Commissioner and the advisory committee to not less than five business days. 2016, c. 6, Sched. 1, s. 1 (14).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (15))

Collection, use, disclosure by custodians

Restrictions on collection

55.5 (1) A health information custodian shall not collect personal health information by means of the electronic health record except for the purpose of,

(a) providing or assisting in the provision of health care to the individual to whom the information relates; or

(b) eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, where the health information custodian believes on reasonable grounds that the collection is necessary for this purpose. 2016, c. 6, Sched. 1, s. 1 (15).

Unique identification

(2) A health information custodian may collect, use and disclose prescribed data elements for the purpose of uniquely identifying an individual in order to collect personal health information under subsection (1). 2016, c. 6, Sched. 1, s. 1 (15).

Where consent directive exists

(3) Despite subsection (1), where personal health information that is accessible by means of the electronic health record is subject to a consent directive made by an individual under subsection 55.6 (1), a health information custodian may only collect the personal health information in the circumstances permitted under subsection 55.7 (1), (2) or (3). 2016, c. 6, Sched. 1, s. 1 (15).

Use or disclosure

(4) A health information custodian that collects personal health information under clause (1) (a) may use or disclose the information for any purpose for which this Act permits or requires a custodian to use or disclose personal health information. 2016, c. 6, Sched. 1, s. 1 (15).

Same

(5) Despite any other provision in this Act or the regulations, a health information custodian that collects personal health information under clause (1) (b) may only use or disclose the information for the purpose for which the information was collected. 2016, c. 6, Sched. 1, s. 1 (15).

Section 12 obligations

(6) If a health information custodian requests that the prescribed organization transmit personal health information to the custodian by means of the electronic health record and the prescribed organization transmits the information as requested, the custodian shall comply with the obligations referred to in subsection 12 (1) with respect to the transmitted information, regardless of whether the custodian has viewed, handled or otherwise dealt with the information. 2016, c. 6, Sched. 1, s. 1 (15).

Same, notice of unauthorized collection

(7) Subject to the exceptions and additional requirements, if any, that are prescribed, and in addition to any notice that is required to be given in the case of an unauthorized use or disclosure under subsections 12 (2) and (3), if personal health information about an individual is collected without authority by means of the electronic health record, the health information custodian who is responsible for the unauthorized collection shall,

(a) notify the individual at the first reasonable opportunity of the unauthorized collection, and include in the notice a statement that the individual is entitled to make a complaint to the Commissioner under Part VI; and

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (16))

Consent directives

55.6 (1) Subject to the limitations prescribed in the regulations, if any, an individual may at any time make a directive that withholds or withdraws, in whole or in part, the individual’s consent to the collection, use and disclosure of his or her personal health information by means of the electronic health record by a health information custodian for the purposes of providing or assisting in the provision of health care to the individual. 2016, c. 6, Sched. 1, s. 1 (16).

Compliance

(2) Where the prescribed organization receives a directive made under subsection (1), it shall, in accordance with the requirements prescribed in the regulations, if any, implement the directive. 2016, c. 6, Sched. 1, s. 1 (16).

Withdrawal or modifications

(3) Subject to the limitations prescribed in the regulations, if any, an individual who has made a directive under subsection (1) may withdraw or modify the directive. 2016, c. 6, Sched. 1, s. 1 (16).

How to make directive

(4) An individual may make a directive under subsection (1) or withdraw or modify a directive under subsection (3) by submitting the directive to the prescribed organization. 2016, c. 6, Sched. 1, s. 1 (16).

(6) If the directive does not contain sufficient detail to enable the prescribed organization to implement the directive with reasonable efforts, the prescribed organization shall offer assistance to the person in reformulating the directive to comply with subsection (5). 2016, c. 6, Sched. 1, s. 1 (16).

Information re directives

(7) If a health information custodian seeks to collect personal health information that is subject to a consent directive, the prescribed organization shall notify the custodian that an individual has made a directive under subsection (1) and shall ensure that no personal health information that is subject to the directive is provided. 2016, c. 6, Sched. 1, s. 1 (16).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (17))

Consent overrides

55.7 (1) Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record if the custodian that is seeking to collect the information obtains the express consent of the individual to whom the information relates. 2016, c. 6, Sched. 1, s. 1 (17).

Same, protection of individual

(2) Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record if,

(a) the custodian that is seeking to collect the personal health information believes, on reasonable grounds, that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates; and

(b) it is not reasonably possible for the health information custodian that is seeking to collect the personal health information to obtain the individual’s consent in a timely manner. 2016, c. 6, Sched. 1, s. 1 (17).

Same, protection of others

(3) Despite the contents of a consent directive, a health information custodian may disclose personal health information that is subject to the directive by means of the electronic health record, if the health information custodian that is seeking to collect the personal health information believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons. 2016, c. 6, Sched. 1, s. 1 (17).

Use or disclosure

(4) Despite any other provision in this Act or its regulations, a health information custodian that collects personal health information under subsection (1), (2) or (3) may only use or disclose the information for the purpose for which the information was collected. 2016, c. 6, Sched. 1, s. 1 (17).

(6) Where personal health information has been collected in the circumstances described in subsection (1), (2) or (3), the prescribed organization shall immediately provide written notice, in accordance with the requirements in the regulations, to the health information custodian that collected the personal health information. 2016, c. 6, Sched. 1, s. 1 (17).

Same

(7) Upon receiving notice under subsection (6), the custodian that collected the personal health information in the circumstances described in subsection (1), (2) or (3) shall, at the first reasonable opportunity,

(a) notify the individual to whom the information relates, in accordance with the requirements in the regulations; and

(b) if the personal health information has been collected in the circumstances described in subsection (3), give written notice to the Commissioner, in accordance with the regulations, in a manner that does not provide identifying information about the individual to whom the information relates or the person or group of persons at significant risk of serious bodily harm. 2016, c. 6, Sched. 1, s. 1 (17).

No identifying information

(8) Where personal health information has been collected in the circumstances described in subsection (3), in notifying the individual to whom the information relates, the custodian shall not provide identifying information about the person or group of persons at significant risk of serious bodily harm. 2016, c. 6, Sched. 1, s. 1 (17).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (18))

Medication interaction checks

55.8 Despite the contents of a consent directive, personal health information may be utilized by a system that is maintained by the prescribed organization and that retrieves, processes or integrates personal health information that is accessible by means of the electronic health record to provide alerts to health information custodians about potentially harmful medication interactions, as long as the alerts do not reveal personal health information that is subject to the consent directive. 2016, c. 6, Sched. 1, s. 1 (18).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (19))

Collection of information by Ministry

55.9 (1) Despite section 55.5, and subject to subsection (2), the Minister may collect personal health information by means of the electronic health record for the purposes of,

(a) funding, planning or delivering health services that the Government of Ontario funds in whole or in part, directly or indirectly, or allocating resources to any of them; or

(b) detecting, monitoring or preventing fraud or inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario, where such payment, service or good is health-related or is prescribed in the regulations. 2016, c. 6, Sched. 1, s. 1 (19).

Practices and procedures

(2) The Minister may only collect personal health information under subsection (1), if,

(a) the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to collect personal health information under subsection (1) on the Minister’s behalf; and

(b) the prescribed unit of the Ministry has put in place practices and procedures,

(i) to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

(3) Where personal health information has been collected by the Minister under subsection (1), the prescribed unit shall, subject to the additional requirements, if any, that are prescribed, and in accordance with the practices and procedures approved by the Commissioner under subclause (2) (b) (ii),

(a) create a record containing the minimal amount of personal health information necessary for the purpose of de-identifying the information and linking it to other information in the custody or control of the Minister; and

(4) The prescribed unit of the Ministry may link the personal health information that has been de-identified under subsection (3) to other de-identified personal health information under the custody and control of the Minister. 2016, c. 6, Sched. 1, s. 1 (19).

Use in auditing, etc.

(5) The Minister may use personal health information collected under subsection (1) to conduct audits where there are reasonable grounds to believe there has been inappropriate receipt of a payment, service or good, including any subsidy or other benefit funded in whole or in part, directly or indirectly, by the Government of Ontario and where such payment, service or good is health-related or is prescribed in the regulations, if,

(a) the Lieutenant Governor in Council has prescribed not more than one unit of the Ministry to use the personal health information for the purpose set out in this subsection on the Minister’s behalf; and

(b) the prescribed unit of the Ministry has put in place practices and procedures,

(i) to protect the privacy of the individuals whose personal health information the Minister collects, and to maintain the confidentiality of the information, and

(6) The Minister may disclose personal health information used in an audit mentioned in subsection (5) if,

(a) the disclosure is required by law;

(b) the disclosure is for the purpose of a proceeding or contemplated proceeding in which the Minister or an agent or former agent of the Minister is, or is expected to be, a party or witness and the information relates to or is a matter in issue in the proceeding or contemplated proceeding; or

(c) the Minister has reasonable grounds to believe the audit reveals a contravention of the laws of Ontario or Canada and the disclosure is to a law enforcement agency in Canada to aid in an ongoing investigation by the agency or to enable the agency to determine whether to conduct an investigation, with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result. 2016, c. 6, Sched. 1, s. 1 (19).

No other uses and disclosures permitted

(7) Despite any other provision in this Act or the regulations, the Minister shall not use or disclose the personal health information collected under subsection (1) except as authorized by this section. 2016, c. 6, Sched. 1, s. 1 (19).

Direction to prescribed organization

(8) The Minister may issue a direction requiring the prescribed organization to provide the Minister with the information that the Minister is authorized to collect under subsection (1), and the prescribed organization must comply with the direction. 2016, c. 6, Sched. 1, s. 1 (19).

Terms and conditions

(9) A direction made under subsection (8) may specify the form, manner and timeframe in which the information that is the subject of the direction is to be provided to the Minister. 2016, c. 6, Sched. 1, s. 1 (19).

Disclosure

(10) If the Minister collects personal health information by means of the electronic health record under subsection (1), the disclosure of the personal health information to the Minister by the health information custodian who provided it to the prescribed organization is deemed to be permitted under this Act. 2016, c. 6, Sched. 1, s. 1 (19).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (20))

Provision of information for purposes other than health care

55.10 (1) Despite any other provision in this Act or the regulations, the Minister may direct the disclosure of personal health information that is accessible by means of the electronic health record to a person, as if the Minister had custody or control of the information, if,

(a) a person has requested that the Minister disclose the personal health information in accordance with clause 39 (1) (c), subsection 39 (2), section 44 or 45 of this Act;

(b) the personal health information requested by the person was provided to the prescribed organization under this Part by more than one health information custodian;

(c) the Minister has,

(i) submitted the request to the advisory committee,

(ii) provided the advisory committee with 30 days to review the request and make recommendations to the Minister, and

(iii) considered the recommendations, if any, made by the advisory committee; and

(d) the Minister has determined that the disclosure of the personal health information would be in accordance with clause 39 (1) (c), subsection 39 (2) or section 44 or 45. 2016, c. 6, Sched. 1, s. 1 (20).

Shorter time period

(2) The Minister may shorten the time period in subclause (1) (c) (ii) if,

(a) in the Minister’s opinion, the urgency of the situation requires it; and

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (21))

Advisory committee

55.11 (1) The Minister shall establish an advisory committee for the purpose of making recommendations to the Minister concerning,

(a) practices and procedures that the prescribed organization must have in place to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information;

(b) practices and procedures that the prescribed organization must have in place for responding or facilitating a response to a request made by an individual under Part V for a record of personal health information relating to the individual that is accessible by means of the electronic health record;

(c) the administrative, technical and physical safeguards the prescribed organization should have in place to protect the privacy of the individuals whose personal health information it receives and to maintain the confidentiality of the information;

(d) the role of the prescribed organization in assisting a health information custodian to fulfil its obligations to give notice to individuals under subsections 12 (2) and 55.5 (7) in the event that personal health information that is accessible by means of the electronic health record is stolen or lost or is collected, used or disclosed without authority;

(e) the provision of notice in the event that personal health information that is accessible by means of the electronic health record is stolen or lost or is collected, used or disclosed without authority;

(f) anything that is referred to in this Part or in the regulations as capable of being the subject of a recommendation of the advisory committee; and

(g) any other matter referred to the advisory committee by the Minister. 2016, c. 6, Sched. 1, s. 1 (21).

Terms of reference

(2) Subject to the other provisions of this Part, the Minister shall determine the terms of reference of the advisory committee, including terms of reference with respect to conflicts of interest, the membership of the committee and the organization and governance of the committee. 2016, c. 6, Sched. 1, s. 1 (21).

Appointments

(3) The Minister shall appoint the members of the advisory committee in accordance with the requirements, if any, prescribed in the regulations. 2016, c. 6, Sched. 1, s. 1 (21).

Support by Ministry

(4) The Ministry,

(a) shall provide administrative support for the advisory committee;

(b) shall have custody and control of the records of the advisory committee for the purposes of the Freedom of Information and Protection of Privacy Act; and

(c) is responsible for compliance with the Archives and Recordkeeping Act, 2006, in connection with records created by or supplied to the advisory committee. 2016, c. 6, Sched. 1, s. 1 (21).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (22))

Practices and procedures review

55.12 (1) The Commissioner shall review the practices and procedures of the prescribed organization referred to in paragraph 14 of section 55.3 and those of a prescribed unit of the Ministry referred to in clauses 55.9 (2) (b) and (5) (b) every three years after they are first approved to determine if the practices and procedures continue to meet the requirements of subparagraph 14 i of section 55.3 or of subclause 55.9 (2) (b) (i) or (5) (b) (i), as the case may be, and, after the review, the Commissioner may renew the approval. 2016, c. 6, Sched. 1, s. 1 (22).

Note: On a day to be named by proclamation of the Lieutenant Governor, the Act is amended by adding the following section: (See: 2016, c. 6, Sched. 1, s. 1 (23))

Protection from liability for health information custodian

55.13 A health information custodian who, acting in good faith, provides personal health information to the prescribed organization by means of the electronic health record is not liable for damages resulting from,

(a) any unauthorized viewing or handling of the provided information, or any unauthorized dealing with the provided information, by the prescribed organization, its employees or any other person acting on its behalf; or

(c) prescribing additional requirements with which the prescribed organization must comply in developing or maintaining the electronic health record;

(d) specifying data elements collected, used or disclosed by a health information custodian under subsection 55.5 (2) that may not be made subject to a consent directive provided by an individual under subsection 55.6 (1);

(e) governing the notices that are required under section 55.7 and requiring notices under other circumstances and governing such notices;

(f) prescribing the level of specificity at which personal health information may be made subject to a consent directive, including whose collection, use and disclosure of the information may be restricted;

(g) prescribing the units of the Ministry that will be permitted to collect, use and disclose personal health information by means of the electronic health record on behalf of the Minister for the purposes described in section 55.9;

(h) requiring classes of health information custodians or specific health information custodians to provide personal health information to the prescribed organization under this Part and specifying what personal health information they are required to provide;

(i) respecting the provision of services related to the electronic health record by the prescribed organization directly to individuals;

(j) providing for anything that under this Part may or must be provided for or prescribed by the regulations. 2016, c. 6, Sched. 1, s. 1 (24).

Same, two or more organizations prescribed

(3) A regulation made under clause (2) (a) may prescribe more than one organization to act as the prescribed organization for the purposes of this Part and may provide for the respective powers, duties and functions of each organization under this Part. 2016, c. 6, Sched. 1, s. 1 (24).

Review

(4) The Minister shall review every regulation made under the authority of clause (2) (f) at least once in every three-year period. 2016, c. 6, Sched. 1, s. 1 (24).

Public consultation

(5) Section 74 applies, with necessary modification, to the making of a regulation under this section. 2016, c. 6, Sched. 1, s. 1 (24).

56(1) A person who has reasonable grounds to believe that another person has contravened or is about to contravene a provision of this Act or its regulations may make a complaint to the Commissioner. 2004, c. 3, Sched. A, s. 56 (1).

Time for complaint

(2) A complaint that a person makes under subsection (1) must be in writing and must be filed within,

(a) one year after the subject-matter of the complaint first came to the attention of the complainant or should reasonably have come to the attention of the complainant, whichever is the shorter; or

(b) whatever longer period of time that the Commissioner permits if the Commissioner is satisfied that it does not result in any prejudice to any person. 2004, c. 3, Sched. A, s. 56 (2); 2009, c. 33, Sched. 18, s. 25 (6).

Same, refusal of request

(3) A complaint that an individual makes under subsection 54 (8) or 55 (7) or (12) shall be in writing and shall be filed within six months from the time at which the health information custodian refuses or is deemed to have refused the individual’s request mentioned in the applicable subsection. 2004, c. 3, Sched. A, s. 56 (3).

Non-application

(4) The Ombudsman Act
does not apply to any matter in respect of which a complaint may be made to the Commissioner under this Act or to the Commissioner or his or her employees or delegates acting under this Act. 2004, c. 3, Sched. A, s. 56 (4).

57 (1) Upon receiving a complaint made under this Act, the Commissioner may inform the person about whom the complaint is made of the nature of the complaint and,

(a) inquire as to what means, other than the complaint, that the complainant is using or has used to resolve the subject-matter of the complaint;

(b) require the complainant to try to effect a settlement, within the time period that the Commissioner specifies, with the person about which the complaint is made; or

(c) authorize a mediator to review the complaint and to try to effect a settlement, within the time period that the Commissioner specifies, between the complainant and the person about which the complaint is made. 2004, c. 3, Sched. A, s. 57 (1).

Dealings without prejudice

(2) If the Commissioner takes an action described in clause (1) (b) or (c) but no settlement is effected within the time period specified,

(a) none of the dealings between the parties to the attempted settlement shall prejudice the rights and duties of the parties under this Act;

(b) none of the information disclosed in the course of trying to effect a settlement shall prejudice the rights and duties of the parties under this Act; and

(c) none of the information disclosed in the course of trying to effect a settlement and that is subject to mediation privilege shall be used or disclosed outside the attempted settlement, including in a review of a complaint under this section or in an inspection under section 60, unless all parties expressly consent. 2004, c. 3, Sched. A, s. 57 (2).

Commissioner’s review

(3) If the Commissioner does not take an action described in clause (1) (b) or (c) or if the Commissioner takes an action described in one of those clauses but no settlement is effected within the time period specified, the Commissioner may review the subject-matter of a complaint made under this Act if satisfied that there are reasonable grounds to do so. 2004, c. 3, Sched. A, s. 57 (3).

No review

(4) The Commissioner may decide not to review the subject-matter of the complaint for whatever reason the Commissioner considers proper, including if satisfied that,

(a) the person about which the complaint is made has responded adequately to the complaint;

(b) the complaint has been or could be more appropriately dealt with, initially or completely, by means of a procedure, other than a complaint under this Act;

(c) the length of time that has elapsed between the date when the subject-matter of the complaint arose and the date the complaint was made is such that a review under this section would likely result in undue prejudice to any person;

(d) the complainant does not have a sufficient personal interest in the subject-matter of the complaint; or

(e) the complaint is frivolous or vexatious or is made in bad faith. 2004, c. 3, Sched. A, s. 57 (4).

Notice

(5) Upon deciding not to review the subject-matter of a complaint, the Commissioner shall give notice of the decision to the complainant and shall specify in the notice the reason for the decision. 2004, c. 3, Sched. A, s. 57 (5).

Same

(6) Upon deciding to review the subject-matter of a complaint, the Commissioner shall give notice of the decision to the person about whom the complaint is made. 2004, c. 3, Sched. A, s. 57 (6).

Commissioner’s self-initiated review

58 (1) The Commissioner may, on his or her own initiative, conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of this Act or its regulations and that the subject-matter of the review relates to the contravention. 2004, c. 3, Sched. A, s. 58 (1).

Notice

(2) Upon deciding to conduct a review under this section, the Commissioner shall give notice of the decision to every person whose activities are being reviewed. 2004, c. 3, Sched. A, s. 58 (2).

Conduct of Commissioner’s review

59 (1) In conducting a review under section 57 or 58, the Commissioner may make the rules of procedure that the Commissioner considers necessary and the Statutory Powers Procedure Act does not apply to the review. 2004, c. 3, Sched. A, s. 59 (1).

Evidence

(2) In conducting a review under section 57 or 58, the Commissioner may receive and accept any evidence and other information that the Commissioner sees fit, whether on oath or by affidavit or otherwise and whether or not it is or would be admissible in a court of law. 2004, c. 3, Sched. A, s. 59 (2).

Inspection powers

60 (1) In conducting a review under section 57 or 58, the Commissioner may, without a warrant or court order, enter and inspect any premises in accordance with this section if,

(a) the Commissioner has reasonable grounds to believe that,

(i) the person about whom the complaint was made or the person whose activities are being reviewed is using the premises for a purpose related to the subject-matter of the complaint or the review, as the case may be, and

(ii) the premises contains books, records or other documents relevant to the subject-matter of the complaint or the review, as the case may be; and

(b) the Commissioner is conducting the inspection for the purpose of determining whether the person has contravened or is about to contravene a provision of this Act or its regulations.

(c) Revoked : 2016, c. 6, Sched. 1, s. 1 (25).

2004, c. 3, Sched. A, s. 60 (1); 2016, c. 6, Sched. 1, s. 1 (25).

Review powers

(2) In conducting a review under section 57 or 58, the Commissioner may,

(a) demand the production of any books, records or other documents relevant to the subject-matter of the review or copies of extracts from the books, records or other documents;

(b) inquire into all information, records, information practices of a health information custodian and other matters that are relevant to the subject-matter of the review;

(c) demand the production for inspection of anything described in clause (b);

(d) use any data storage, processing or retrieval device or system belonging to the person being investigated in order to produce a record in readable form of any books, records or other documents relevant to the subject-matter of the review; or

(e) on the premises that the Commissioner has entered, review or copy any books, records or documents that a person produces to the Commissioner, if the Commissioner pays the reasonable cost recovery fee that the health information custodian or person being reviewed may charge. 2004, c. 3, Sched. A, s. 60 (2).

Entry to dwellings

(3) The Commissioner shall not, without the consent of the occupier, exercise a power to enter a place that is being used as a dwelling, except under the authority of a search warrant issued under subsection (4). 2004, c. 3, Sched. A, s. 60 (3).

Search warrants

(4) Where a justice of the peace is satisfied by evidence upon oath or affirmation that there is reasonable ground to believe it is necessary to enter a place that is being used as a dwelling to investigate a complaint that is the subject of a review under section 57, he or she may issue a warrant authorizing the entry by a person named in the warrant. 2004, c. 3, Sched. A, s. 60 (4).

Time and manner for entry

(5) The Commissioner shall exercise the power to enter premises under this section only during reasonable hours for the premises and only in such a manner so as not to interfere with health care that is being provided to any person on the premises at the time of entry. 2004, c. 3, Sched. A, s. 60 (5).

No obstruction

(6) No person shall obstruct the Commissioner who is exercising powers under this section or provide the Commissioner with false or misleading information. 2004, c. 3, Sched. A, s. 60 (6).

Written demand

(7) A demand for books, records or documents or copies of extracts from them under subsection (2) must be in writing and must include a statement of the nature of the things that are required to be produced. 2004, c. 3, Sched. A, s. 60 (7).

Obligation to assist

(8) If the Commissioner makes a demand for any thing under subsection (2), the person having custody of the thing shall produce it to the Commissioner and, at the request of the Commissioner, shall provide whatever assistance is reasonably necessary, including using any data storage, processing or retrieval device or system to produce a record in readable form, if the demand is for a document. 2004, c. 3, Sched. A, s. 60 (8).

Removal of documents

(9) If a person produces books, records and other documents to the Commissioner, other than those needed for the current health care of any person, the Commissioner may, on issuing a written receipt, remove them and may review or copy any of them if the Commissioner is not able to review and copy them on the premises that the Commissioner has entered. 2004, c. 3, Sched. A, s. 60 (9).

Return of documents

(10) The Commissioner shall carry out any reviewing or copying of documents with reasonable dispatch, and shall forthwith after the reviewing or copying return the documents to the person who produced them. 2004, c. 3, Sched. A, s. 60 (10).

Admissibility of copies

(11) A copy certified by the Commissioner as a copy is admissible in evidence to the same extent, and has the same evidentiary value, as the thing copied. 2004, c. 3, Sched. A, s. 60 (11).

Answers under oath

(12) In conducting a review under section 57 or 58, the Commissioner may, by summons, in the same manner and to the same extent as a superior court of record, require the appearance of any person before the Commissioner and compel them to give oral or written evidence on oath or affirmation. 2004, c. 3, Sched. A, s. 60 (12).

Inspection of record without consent

(13) Despite subsections (2) and (12), the Commissioner shall not inspect a record of, require evidence of, or inquire into, personal health information without the consent of the individual to whom it relates, unless,

(a) the Commissioner first determines that it is reasonably necessary to do so, subject to any conditions or restrictions that the Commissioner specifies, which shall include a time limitation, in order to carry out the review and that the public interest in carrying out the review justifies dispensing with obtaining the individual's consent in the circumstances; and

(b) the Commissioner provides a statement to the person who has custody or control of the record to be inspected, or the evidence or information to be inquired into, setting out the Commissioner’s determination under clause (a) together with brief written reasons and any restrictions and conditions that the Commissioner has specified. 2004, c. 3, Sched. A, s. 60 (13).

Limitation on delegation

(14) Despite subsection 67 (1), the power to make a determination under clause (13) (a) and to approve the brief written reasons under clause (13) (b) may not be delegated except to the Assistant Commissioner. 2004, c. 3, Sched. A, s. 60 (14).

Document privileged

(15) A document or thing produced by a person in the course of a review is privileged in the same manner as if the review were a proceeding in a court. 2007, c. 10, Sched. H, s. 22.

Protection

(16) Except on the trial of a person for perjury in respect of his or her sworn testimony, no statement made or answer given by that or any other person in the course of a review by the Commissioner is admissible in evidence in any court or at any inquiry or in any other proceedings, and no evidence in respect of proceedings before the Commissioner shall be given against any person. 2004, c. 3, Sched. A, s. 60 (16).

Protection under federal Act

(17) The Commissioner shall inform a person giving a statement or answer in the course of a review by the Commissioner of the person’s right to object to answer any question under section 5 of the Canada Evidence Act. 2004, c. 3, Sched. A, s. 60 (17).

Representations

(18) The Commissioner shall give the person who made the complaint, the person about whom the complaint is made and any other affected person an opportunity to make representations to the Commissioner. 2004, c. 3, Sched. A, s. 60 (18).

Representative

(19) A person who is given an opportunity to make representations to the Commissioner may be represented by counsel or another person. 2004, c. 3, Sched. A, s. 60 (19).

Access to representations

(20) The Commissioner may permit a person to be present during the representations that another person makes to the Commissioner or to have access to them unless doing so would reveal,

(a) the substance of a record of personal health information, for which a health information custodian claims to be entitled to refuse a request for access made under section 53; or

(21) If the Commissioner or Assistant Commissioner has delegated his or her powers under this section to an officer or employee of the Commissioner, the officer or employee who exercises the powers shall, upon request, produce the certificate of delegation signed by the Commissioner or Assistant Commissioner, as the case may be. 2004, c. 3, Sched. A, s. 60 (21).

61(1) After conducting a review under section 57 or 58, the Commissioner may,

(a) if the review relates to a complaint into a request by an individual under subsection 53 (1) for access to a record of personal health information, make an order directing the health information custodian about whom the complaint was made to grant the individual access to the requested record;

(b) if the review relates to a complaint into a request by an individual under subsection 55 (1) for correction of a record of personal health information, make an order directing the health information custodian about whom a complaint was made to make the requested correction;

(c) make an order directing any person whose activities the Commissioner reviewed to perform a duty imposed by this Act or its regulations;

(d) make an order directing any person whose activities the Commissioner reviewed to cease collecting, using or disclosing personal health information if the Commissioner determines that the person is collecting, using or disclosing the information, as the case may be, or is about to do so in contravention of this Act, its regulations or an agreement entered into under this Act;

(e) make an order directing any person whose activities the Commissioner reviewed to dispose of records of personal health information that the Commissioner determines the person collected, used or disclosed in contravention of this Act, its regulations or an agreement entered into under this Act but only if the disposal of the records is not reasonably expected to adversely affect the provision of health care to an individual;

(f) make an order directing any health information custodian whose activities the Commissioner reviewed to change, cease or not commence an information practice specified by the Commissioner, if the Commissioner determines that the information practice contravenes this Act or its regulations;

(g) make an order directing any health information custodian whose activities the Commissioner reviewed to implement an information practice specified by the Commissioner, if the Commissioner determines that the information practice is reasonably necessary in order to achieve compliance withthis Act and its regulations;

(h) make an order directing any person who is an agent of a health information custodian, whose activities the Commissioner reviewed and that an order made under any of clauses (a) to (g) directs to take any action or to refrain from taking any action, to take the action or to refrain from taking the action if the Commissioner considers that it is necessary to make the order against the agent to ensure that the custodian will comply with the order made against the custodian; or

(i) make comments and recommendations on the privacy implications of any matter that is the subject of the review. 2004, c. 3, Sched. A, s. 61 (1).

Terms of order

(2) An order that the Commissioner makes under subsection (1) may contain the terms that the Commissioner considers appropriate. 2004, c. 3, Sched. A, s. 61 (2).

Copy of order, etc.

(3) Upon making comments, recommendations or an order under subsection (1), the Commissioner shall provide a copy of them, including reasons for any order made, to,

(a) the complainant and the person about whom the complaint was made, if the Commissioner made the comments, recommendations or order after conducting a review under section 57 of a complaint;

(b) the person whose activities the Commissioner reviewed, if the Commissioner made the comments, recommendations or order after conducting a review under section 58;

(c) all other persons to whom the order is directed;

(d) the body or bodies that are legally entitled to regulate or review the activities of a health information custodian directed in the order or to whom the comments or recommendations relate; and

(4) If, after conducting a review under section 57 or 58, the Commissioner does not make an order under subsection (1), the Commissioner shall give the complainant, if any, and the person whose activities the Commissioner reviewed a notice that sets out the Commissioner’s reasons for not making an order. 2004, c. 3, Sched. A, s. 61 (4).

Appeal of order

62 (1) A person affected by an order of the Commissioner made under any of clauses 61 (1) (c) to (h) may appeal the order to the Divisional Court on a question of law in accordance with the rules of court by filing a notice of appeal within 30 days after receiving the copy of the order. 2004, c. 3, Sched. A, s. 62 (1).

Certificate of Commissioner

(2) In an appeal under this section, the Commissioner shall certify to the Divisional Court,

(a) the order and a statement of the Commissioner’s reasons for making the order;

(b) the record of all hearings that the Commissioner has held in conducting the review on which the order is based;

(c) all written representations that the Commissioner received before making the order; and

(d) all other material that the Commissioner considers is relevant to the appeal. 2004, c. 3, Sched. A, s. 62 (2).

Confidentiality of information

(3) In an appeal under this section, the court may take precautions to avoid the disclosure by the court or any person of any personal health information about an individual, including, where appropriate, receiving representations without notice, conducting hearings in private or sealing the court files. 2004, c. 3, Sched. A, s. 62 (3).

Court order

(4) On hearing an appeal under this section, the court may, by order,

(a) direct the Commissioner to make the decisions and to do the acts that the Commissioner is authorized to do under this Act and that the court considers proper; and

63An order made by the Commissioner under this Act that has become final as a result of there being no further right of appeal may be filed with the Superior Court of Justice and on filing becomes and is enforceable as a judgment or order of the Superior Court of Justice to the same effect. 2004, c. 3, Sched. A, s. 63.

Further order of Commissioner

64 (1) After conducting a review under section 57 or 58 and making an order under subsection 61 (1), the Commissioner may rescind or vary the order or may make a further order under that subsection if new facts relating to the subject-matter of the review come to the Commissioner’s attention or if there is a material change in the circumstances relating to the subject-matter of the review. 2004, c. 3, Sched. A, s. 64 (1).

Circumstances

(2) The Commissioner may exercise the powers described in subsection (1) even if the order that the Commissioner rescinds or varies has been filed with the Superior Court of Justice under section 63. 2004, c. 3, Sched. A, s. 64 (2).

Copy of order, etc.

(3) Upon making a further order under subsection (1), the Commissioner shall provide a copy of it to the persons described in clauses 61 (3) (a) to (e) and shall include with the copy a notice setting out,

(a) the Commissioner’s reasons for making the order; and

(b) if the order was made under any of clauses 61 (1) (c) to (h), a statement that the persons affected by the order have the right to appeal described in subsection (4). 2004, c. 3, Sched. A, s. 64 (3).

Appeal

(4) A person affected by an order that the Commissioner rescinds, varies or makes under any of clauses 61 (1) (c) to (h) may appeal the order to the Divisional Court on a question of law in accordance with the rules of court by filing a notice of appeal within 30 days after receiving the copy of the order and subsections 62 (2) to (5) apply to the appeal. 2004, c. 3, Sched. A, s. 64 (4).

Damages for breach of privacy

65(1) If the Commissioner has made an order under this Act that has become final as the result of there being no further right of appeal, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of a contravention of this Act or its regulations. 2004, c. 3, Sched. A, s. 65 (1).

Same

(2) If a person has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of the conduct. 2004, c. 3, Sched. A, s. 65 (2).

Damages for mental anguish

(3) If, in a proceeding described in subsection (1) or (2), the Superior Court of Justice determines that the harm suffered by the plaintiff was caused by a contravention or offence, as the case may be, that the defendants engaged in wilfully or recklessly, the court may include in its award of damages an award, not exceeding $10,000, for mental anguish. 2004, c. 3, Sched. A, s. 65 (3).

Commissioner

General powers

66The Commissioner may,

(a) engage in or commission research into matters affecting the carrying out of the purposes of this Act;

(b) conduct public education programs and provide information concerning this Act and the Commissioner’s role and activities;

(c) receive representations from the public concerning the operation of this Act;

(d) on the request of a health information custodian, offer comments on the custodian’s actual or proposed information practices;

(e) assist in investigations and similar procedures conducted by a person who performs similar functions to the Commissioner under the laws of Canada, except that in providing assistance, the Commissioner shall not use or disclose information collected by or for the Commissioner under this Act;

(f) in appropriate circumstances, authorize the collection of personal health information about an individual in a manner other than directly from the individual. 2004, c. 3, Sched. A, s. 66.

Delegation

67(1) The Commissioner may in writing delegate any of the Commissioner’s powers, duties or functions under this Act, including the power to make orders, to the Assistant Commissioner or to an officer or employee of the Commissioner. 2004, c. 3, Sched. A, s. 67 (1).

Subdelegation by Assistant Commissioner

(2) The Assistant Commissioner may in writing delegate any of the powers, duties or functions delegated to him or her under subsection (1) to any other officers or employees of the Commissioner, subject to the conditions and restrictions that the Assistant Commissioner specifies in the delegation. 2004, c. 3, Sched. A, s. 67 (2).

Limitations re personal health information

68 (1) The Commissioner and any person acting under his or her authority may collect, use or retain personal health information in the course of carrying out any functions under this Part solely if no other information will serve the purpose of the collection, use or retention of the personal health information and in no other circumstances. 2004, c. 3, Sched. A, s. 68 (1).

Extent of information

(2) The Commissioner and any person acting under his or her authority shall not in the course of carrying out any functions under this Part collect, use or retain more personal health information than is reasonably necessary to enable the Commissioner to perform his or her functions relating to the administration of this Act or for a proceeding under it. 2004, c. 3, Sched. A, s. 68 (2).

Confidentiality

(3) The Commissioner, the Assistant Commissioner and persons acting on behalf of or under the direction of either of them shall not disclose any information that comes to their knowledge in the course of exercising their functions under this Act unless,

(a) the disclosure is required for the purpose of exercising those functions;

(b) the information relates to a health information custodian, the disclosure is made to a body that is legally entitled to regulate or review the activities of the custodian and the Commissioner or the Assistant Commissioner is of the opinion that the disclosure is justified;

(c) the Commissioner obtained the information under subsection 60 (12) and the disclosure is required in a prosecution for an offence under section 131 of the Criminal Code
(Canada) in respect of sworn testimony; or

(d) the disclosure is made to the Attorney General, the information relates to the commission of an offence against an Act or an Act of Canada and the Commissioner is of the view that there is evidence of such an offence. 2004, c. 3, Sched. A, s. 68 (3).

Same

(4) Despite anything in subsection (3), the Commissioner, the Assistant Commissioner and persons acting on behalf of or under the direction of either of them shall not disclose,

(a) any quality of care information that comes to their knowledge in the course of exercising their functions under this Act; or

(b) the identity of a person, other than a complainant under subsection 56 (1), who has provided information to the Commissioner and who has requested the Commissioner to keep the person’s identity confidential. 2004, c. 3, Sched. A, s. 68 (4).

Information in review or proceeding

(5) The Commissioner in a review under section 57 or 58 and a court, tribunal or other person, including the Commissioner, in a proceeding mentioned in section 65 or this section shall take every reasonable precaution, including, when appropriate, receiving representations without notice and conducting hearings that are closed to the public, to avoid the disclosure of any information for which a health information custodian is entitled to refuse a request for access made under section 53. 2004, c. 3, Sched. A, s. 68 (5).

Not compellable witness

(6) The Commissioner, the Assistant Commissioner and persons acting on behalf of or under the direction of either of them shall not be required to give evidence in a court or in a proceeding of a judicial nature concerning anything coming to their knowledge in the exercise of their functions under this Act that they are prohibited from disclosing under subsection (3) or (4). 2004, c. 3, Sched. A, s. 68 (6).

Immunity

69 No action or other proceeding for damages may be instituted against the Commissioner, the Assistant Commissioner or any person acting on behalf of or under the direction of either of them for,

(a) anything done, reported or said in good faith and in the exercise or intended exercise of any of their powers or duties under this Act; or

(b) any alleged neglect or default in the exercise in good faith of any of their powers or duties under this Act. 2004, c. 3, Sched. A, s. 69.

(a) the person, acting in good faith and on the basis of reasonable belief, has disclosed to the Commissioner that any other person has contravened or is about to contravene a provision of this Act or its regulations;

(b) the person, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene a provision of this Act or its regulations;

(c) the person, acting in good faith and on the basis of reasonable belief, has refused to do or stated an intention of refusing to do anything that is in contravention of a provision of this Act or its regulations; or

(d) any person believes that the person will do anything described in clause (a), (b) or (c). 2004, c. 3, Sched. A, s. 70.

Immunity

71(1) No action or other proceeding for damages may be instituted against a health information custodian or any other person for,

(a) anything done, reported or said, both in good faith and reasonably in the circumstances, in the exercise or intended exercise of any of their powers or duties under this Act; or

(b) any alleged neglect or default that was reasonable in the circumstances in the exercise in good faith of any of their powers or duties under this Act. 2004, c. 3, Sched. A, s. 71 (1).

Crown liability

(2) Despite subsections 5 (2) and (4) of the Proceedings Against the Crown Act, subsection (1) does not relieve the Crown of liability in respect of a tort committed by a person mentioned in subsection (1) to which it would otherwise be subject. 2004, c. 3, Sched. A, s. 71 (2).

Substitute decision-maker

(3) A person who, on behalf of or in the place of an individual, gives or refuses consent to a collection, use or disclosure of personal health information about the individual, makes a request, gives an instruction or takes a step is not liable for damages for doing so if the person acts reasonably in the circumstances, in good faith and in accordance with this Act and its regulations. 2004, c. 3, Sched. A, s. 71 (3).

Reliance on assertion

(4) Unless it is not reasonable to do so in the circumstances, a person is entitled to rely on the accuracy of an assertion made by another person, in connection with a collection, use or disclosure of, or access to, the information under this Act, to the effect that the other person,

(a) is a person who is authorized to request access to a record of personal health information under section 53;

(b) is a person who is entitled under section 5 or 23 or subsection 26 (1) to consent to the collection, use or disclosure of personal health information about another individual;

(a) wilfully collects, uses or discloses personal health information in contravention of this Act or its regulations;

(b) makes a request under this Act, under false pretences, for access to or correction of a record of personal health information;

(c) in connection with the collection, use or disclosure of personal health information or access to a record of personal health information, makes an assertion, knowing that it is untrue, to the effect that the person,

(i) is a person who is entitled to consent to the collection, use or disclosure of personal health information about another individual,

(ii) meets the requirement of clauses 26 (2) (b) and (c),

(iii) holds the beliefs described in subsection 26 (5), or

(iv) is a person entitled to access to a record of personal health information under section 52;

(d) disposes of a record of personal health information in the custody or under the control of the custodian with an intent to evade a request for access to the record that the custodian has received under subsection 53 (1);

(e) wilfully disposes of a record of personal health information in contravention of section 13;

(g) wilfully obstructs the Commissioner or a person known to be acting under the authority of the Commissioner in the performance of his or her functions under this Act;

(h) wilfully makes a false statement to mislead or attempt to mislead the Commissioner or a person known to be acting under the authority of the Commissioner in the performance of his or her functions under this Act;

(i) wilfully fails to comply with an order made by the Commissioner or a person known to be acting under the authority of the Commissioner under this Act; or

(j) contravenes section 70. 2004, c. 3, Sched. A, s. 72 (1).

Penalty

(2) A person who is guilty of an offence under subsection (1) is liable, on conviction,

(a) if the person is a natural person, to a fine of not more than $100,000; and

(b) if the person is not a natural person, to a fine of not more than $500,000. 2004, c. 3, Sched. A, s. 72 (2); 2016, c. 6, Sched. 1, s. 1 (26).

Officers, etc.

(3) If a corporation commits an offence under this Act, every officer, member, employee or other agent of the corporation who authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, is a party to and guilty of the offence and is liable, on conviction, to the penalty for the offence, whether or not the corporation has been prosecuted or convicted. 2004, c. 3, Sched. A, s. 72 (3).

No prosecution

(4) No person is liable to prosecution for an offence against this or any other Act by reason of complying with a requirement of the Commissioner under this Act. 2004, c. 3, Sched. A, s. 72 (4).

Consent of Attorney General

(5) A prosecution shall not be commenced under subsection (1) without the consent of the Attorney General. 2016, c. 6, Sched. 1, s. 1 (27).

Presiding judge

(6) The Crown may, by notice to the clerk of the Ontario Court of Justice, require that a provincial judge preside over a proceeding in respect of an offence under subsection (1). 2016, c. 6, Sched. 1, s. 1 (27).

Protection of information

(7) In a prosecution for an offence under subsection (1) or where documents or materials are filed with a court under sections 158 to 160 of the Provincial Offences Act in relation to an investigation into an offence under this Act, the court may, at any time, take precautions to avoid the disclosure by the court or any person of any personal health information about an individual, including, where appropriate,

(a) removing the identifying information of any person whose personal health information is referred to in any documents or materials;

73(1) Subject to section 74, the Lieutenant Governor in Council may make regulations,

(a) prescribing or specifying anything that this Act describes as being prescribed, specified, described, provided for, authorized or required in the regulations made under this Act;

(b) exempting persons or classes of persons from the persons described in clause (d) of the definition of “health care practitioner” in section 2;

(c) specifying persons or classes of persons who shall not be included in the definition of “health information custodian” in subsection 3 (1);

(d) specifying that certain types of information shall or shall not be included in the definition of “personal health information” in subsection 4 (1);

(e) defining, for the purposes of this Act and its regulations, any word or expression used in this Act that has not already been expressly defined in this Act;

(f) making any provision of this Act or its regulations, that applies to some but not all health information custodians, applicable to a prescribed person mentioned in paragraph 8 of the definition of “health information custodian” in subsection 3 (1) or a member of a prescribed class of persons mentioned in that paragraph;

(g) specifying requirements with respect to information practices for the purposes of subsection 10 (1), including conditions that a health information custodian is required to comply with when collecting, using or disclosing personal health information or classes of personal health information, or specifying procedural processes or requirements for setting requirements with respect to information practices for the purposes of that subsection;

(h) specifying requirements, or a process for setting requirements, for the purposes of subsection 10 (3) with which a health information custodian is required to comply when using electronic means to collect, use, modify, disclose, retain or dispose of personal health information, including standards for transactions, data elements for transactions, code sets for data elements and procedures for the transmission and authentication of electronic signatures;

(i) specifying requirements for the purposes of subsection 17 (1), including requiring that a health information custodian and its agent enter into an agreement that complies with the regulations made under clause (k) before the custodian provides personal health information to the agent;

(j) specifying requirements that an agreement entered into under this Act or its regulations must contain;

(k) specifying requirements, restrictions or prohibitions with respect to the collection, use or disclosure of any class of personal health information by any person in addition to the requirements, restrictions or prohibitions set out in this Act;

(m) permitting notices, statements or any other things, that under this Act are required to be provided in writing, to be provided in electronic or other form instead, subject to the conditions or restrictions that are specified by the regulations made under this Act;

(n) prescribing under what circumstances the Canadian Blood Services may collect, use and disclose personal health information, the conditions that apply to the collection, use and disclosure of personal health information by the Canadian Blood Services and disclosures that may be made by a health information custodian to the Canadian Blood Services;

(n.1) requiring health information custodians to provide information to the Commissioner and specifying the type of information to be provided and the time at which and manner in which it is to be provided;

(o) specifying information relating to the administration or enforcement of this Act that is required to be contained in a report made under subsection 58 (1) of the Freedom of Information and Protection of Privacy Act;

(2) A regulation made under this Act may be of general application or specific to any person or persons or class or classes in its application. 2004, c. 3, Sched. A, s. 73 (2).

Classes

(3) A class described in the regulations made under this Act may be described according to any characteristic or combination of characteristics and may be described to include or exclude any specified member, whether or not with the same characteristics. 2004, c. 3, Sched. A, s. 73 (3).

74 (1) Subject to subsection (7), the Lieutenant Governor in Council shall not make any regulation under section 73 unless,

(a) the Minister has published a notice of the proposed regulation in The Ontario Gazette and given notice of the proposed regulation by all other means that the Minister considers appropriate for the purpose of providing notice to the persons who may be affected by the proposed regulation;

(b) the notice complies with the requirements of this section;

(c) the time periods specified in the notice, during which members of the public may exercise a right described in clause (2) (b) or (c), have expired; and

(d) the Minister has considered whatever comments and submissions that members of the public have made on the proposed regulation in accordance with clause (2) (b) or (c) and has reported to the Lieutenant Governor in Council on what, if any, changes to the proposed regulation the Minister considers appropriate. 2004, c. 3, Sched. A, s. 74 (1).

Contents of notice

(2) The notice mentioned in clause (1) (a) shall contain,

(a) a description of the proposed regulation and the text of it;

(b) a statement of the time period during which members of the public may submit written comments on the proposed regulation to the Minister and the manner in which and the address to which the comments must be submitted;

(c) a description of whatever other rights, in addition to the right described in clause (b), that members of the public have to make submissions on the proposed regulation and the manner in which and the time period during which those rights must be exercised;

(d) a statement of where and when members of the public may review written information about the proposed regulation;

(3) The time period mentioned in clauses (2) (b) and (c) shall be at least 60 days after the Minister gives the notice mentioned in clause (1) (a) unless the Minister shortens the time period in accordance with subsection (4). 2004, c. 3, Sched. A, s. 74 (3).

Shorter time period for comments

(4) The Minister may shorten the time period if, in the Minister’s opinion,

(a) the urgency of the situation requires it;

(b) the proposed regulation clarifies the intent or operation of this Act or the regulations; or

(5) Upon receiving the Minister’s report mentioned in clause (1) (d), the Lieutenant Governor in Council, without further notice under subsection (1), may make the proposed regulation with the changes that the Lieutenant Governor in Council considers appropriate, whether or not those changes are mentioned in the Minister’s report. 2004, c. 3, Sched. A, s. 74 (5).

No public consultation

(6) The Minister may decide that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under section 73 if, in the Minister’s opinion,

(a) the urgency of the situation requires it;

(b) the proposed regulation clarifies the intent or operation of this Act or the regulations; or

(7) If the Minister decides that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under section 73,

(a) those subsections do not apply to the power of the Lieutenant Governor in Council to make the regulation; and

(b) the Minister shall give notice of the decision to the public and to the Commissioner as soon as is reasonably possible after making the decision. 2004, c. 3, Sched. A, s. 74 (7).

Contents of notice

(8) The notice mentioned in clause (7) (b) shall include a statement of the Minister’s reasons for making the decision and all other information that the Minister considers appropriate. 2004, c. 3, Sched. A, s. 74 (8).

Publication of notice

(9) The Minister shall publish the notice mentioned in clause (7) (b) in The Ontario Gazette
and give the notice by all other means that the Minister considers appropriate. 2004, c. 3, Sched. A, s. 74 (9).

Temporary regulation

(10) If the Minister decides that subsections (1) to (5) should not apply to the power of the Lieutenant Governor in Council to make a regulation under section 73 because the Minister is of the opinion that the urgency of the situation requires it, the regulation shall,

(a) be identified as a temporary regulation in the text of the regulation; and

(b) unless it is revoked before its expiry, expire at a time specified in the regulation, which shall not be after the second anniversary of the day on which the regulation comes into force. 2004, c. 3, Sched. A, s. 74 (10).

No review

(11) Subject to subsection (12), neither a court, nor the Commissioner shall review any action, decision, failure to take action or failure to make a decision by the Lieutenant Governor in Council or the Minister under this section. 2004, c. 3, Sched. A, s. 74 (11).

Exception

(12) Any person resident in Ontario may make an application for judicial review under the Judicial Review Procedure Act on the grounds that the Minister has not taken a step required by this section. 2004, c. 3, Sched. A, s. 74 (12).

Time for application

(13) No person shall make an application under subsection (12) with respect to a regulation later than 21 days after the day on which,

(a) the Minister publishes a notice with respect to the regulation under clause (1) (a) or subsection (9), where applicable; or

(b) the regulation is filed, if it is a regulation described in subsection (10). 2004, c. 3, Sched. A, s. 74 (13).

Review of Act

75A committee of the Legislative Assembly shall,

(a) begin a comprehensive review of this Act not later than the third anniversary of the day on which this section comes into force; and

(b) within one year after beginning that review, make recommendations to the Assembly concerning amendments to this Act. 2004, c. 3, Sched. A, s. 75.